New Vulnerabilities Make RDP Risks Far from Remote

  /     /     /  
Publicated : 23/11/2024   Category : security


New Vulnerabilities Make RDP Risks Far from Remote


More than two dozen vulnerabilities raise the risk of using RDP clients to remotely manage and configure systems.



Researchers have announced a flurry of vulnerabilities in three separate implementations of RDP, the remote desktop protocol that is widely used in remote technical support and configuration operations at large enterprises and service providers.
In a presentation at their companys annual conference, Check Point security researchers 
detailed 25 reverse RDP vulnerabilities
in three separate RDP clients: FreeRDP, rdesktop, and mstc.exe. Two of the clients are native to operating systems; rdesktop is the client included in distros of Kali Linux, while mstc.exe is Microsofts RDP client included with Windows.
In all of these reverse RDP vulnerabilities, its the remote system — not the system being connected to — thats vulnerable. As Yaniv Balmas, head of technical research at Check Point, says, Once we have a direct channel back to your to your machine, we can practically do anything we want on that machine. We can do everything we want. The machine is ours.
While many IT professionals believe that only display and user interface data is exchanged in an RDP session, Balmas says RDP clients have more capabilities, and its those additional capabilities that provide the source of the vulnerabilities.
In both of the open source RDP clients, Check Point found that malware on the host system could use a buffer overflow technique to force remote code execution on the client machine. There are actually a variety of ways to do this; so far, 19 vulnerabilities have been identified and given CVE designations in rdesktop, while six have been identified in FreeRDP.
All of these vulnerabilities were submitted to the open source community prior to public disclosure, and all have been patched. So the remediation for the two free versions is essentially to make sure youre using the latest patched version, Balmas says.
The situation with mstc.exe is different. The researchers found that the code Microsoft uses is much stronger than that used by the open source versions. Theres one feature, though, that creates an opportunity for malicious behavior: Through the RDP client, the host and remote systems share a clipboard.
As the researcher wrote in their blog post on the vulnerabilities, If the client fails to properly canonicalize and sanitize the file paths it receives, it could be vulnerable to a path-traversal attack, allowing the server to drop arbitrary files in arbitrary paths on the client’s computer, a very strong attack primitive.
What this means in practical terms also is detailed in the post: If a client uses the Copy & Paste feature over an RDP connection, a malicious RDP server can transparently drop arbitrary files to arbitrary file locations on the client’s computer, limited only by the permissions of the client. For example, we can drop malicious scripts to the client’s Startup folder, and after a reboot they will be executed on his computer, giving us full control.
The researchers were able to build code that pushed code onto the clipboard without the users permission or awareness, Balmas says. Then, if the remote user pastes anything from the clipboard, the malicious code is also pasted to an arbitrary location.
Because the exploit involves user interaction, Microsoft does not classify this as a code vulnerability and has not been given a CVE designation. Despite that, We consider this to be critical, or at least important for users to know, because we think that this kind of — I would call it the bug — goes unnoticed and can definitely be used by malicious actors, Balmas says.
Related Content:
3 Keys to Reducing the Threat of Ransomware
RDP Ports Prove Hot Commodities on the Dark Web
The Risks of Remote Desktop Access Are Far from Remote
Microsoft Remote Access Protocol Flaw Affects All Windows Machines

Last News

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
New Vulnerabilities Make RDP Risks Far from Remote