Security experts at Check Point Software Technologies discovered a total of 25 security flaws in the popular implementations of the remote desktop protocol (RDP). 16 that have been rated as “major,” some of the vulnerabilities could be exploited by a malicious RDP server to hack a device running the client RDP software.
Remote Desktop Protocol (RDP) is a widely adopted protocol for remote administration, but it could dramatically enlarge the attack surface if it isn’t properly managed.
Researchers have focused their analysis on FreeRDP,
“Used by thousands of IT professionals and security researchers worldwide, the Remote Desktop Protocol (RDP) is usually considered a safe and trustworthy application to connect to remote computers.” reads the analysis published by the experts.
“However, Check Point Research recently discovered multiple critical vulnerabilities in the commonly used Remote Desktop Protocol (RDP) that would allow a malicious
The analysis of the open source
11 vulnerabilities were considered as “major” issues, some of the flaws can be exploited by a rogue RDP server under the control of the attacker to remotely execute code on an RDP client connecting to it.
The situation is better for FreeRDP, the most popular and mature open-source RDP client on Github. because the experts have only discovered six vulnerabilities, five of which having a major impact.
Experts discovered also, in this case, some flaws that could allow a rogue RDP server to execute arbitrary code on a client.
This means that anything in the clipboard could be accessed by the attackers, for
“If a client uses the “Copy & Paste” feature over an RDP connection, a malicious RDP server can transparently drop arbitrary files to arbitrary file locations on the client’s computer, limited only by the permissions of the client. For example, we can drop malicious scripts to the client’s “Startup” folder, and after a reboot they will be executed on his computer, giving us full control.” continues the experts.
“Note: In our exploit, we simply killed rdpclip.exe, and spawned our own process to perform the path traversal attack by adding
Below a video PoC published by the experts:
The vulnerabilities discovered by the experts could be used in multiple attack scenarios, hackers can exploit them to compromise a target machine running a vulnerable RDP client and
Attackers can gain elevated network permissions by deploying such an attack, then attempting lateral movement inside the organization. Hackers can, for example, attack an IT member that connects to an infected work station inside the corporate network or a malware researcher that connects to a remote sandboxed virtual machine that contains a tested malware. In the latter scenario, it is possible to allow the malicious code to escape the sandbox and compromise the corporate network.
Checkpoint reported its findings to the development team of the RDP tools in October 2018. FreeRDP developers addressed the flaws with a patch to the software in the GitHub repository in November, Rdesktop developers released a fix in mid-January.
Microsoft confirmed the findings of the study but replied with this eloquent and questionable answers:
“Thank you for your submission. We determined your finding is valid but does not meet our bar for servicing. For more information, please see the Microsoft Security Servicing Criteria for Windows (https://aka.ms/windowscriteria).”
This means that Microsoft users are exposed to attackers implementing the attacks described by Check Point.
“Although the code quality of the different clients varies, as can be seen by the distribution of the vulnerabilities we found, we argue that the remote desktop protocol is complicated, and is prone to vulnerabilities. As we demonstrated in our PoCs for both Microsoft’s client and one of the open-sourced clients, a malicious RDP server can leverage the vulnerabilities in the RDP clients to achieve remote code execution over the client’s computer,” the security firm concluded.
The FBI Internet Crime Complaint Center (IC3) and the DHS recently issued a joint alert to highlight the rise of RDP as an attack vector.
Attackers are exploiting this feature to access systems to deploy malware such as the SamSam ransomware.