RDP Bug Takes New Approach to Host Compromise

  /     /     /  
Publicated : 23/11/2024   Category : security


RDP Bug Takes New Approach to Host Compromise


Researchers show how simply connecting to a rogue machine can silently compromise the host.



Most security professionals know they can use Microsofts Remote Desktop Protocol (RDP) to connect to other machines but may not consider how merely using RDP could compromise one.
A recently discovered RDP vulnerability could silently compromise a host when it connects to a rogue machine, researchers report.
CVE-2019-0887
, discovered by Eyal Itkin, a vulnerability researcher with Check Point Software Technologies, was classified as Important and
patched
this month. Microsoft has not yet seen any evidence this flaw has been exploited in the wild.
The remote code execution bug is in Remote Desktop Services, formerly known as Terminal Services, when an authenticated attacker abuses clipboard redirection. A successful attacker could execute malicious code on a target system; install programs; view, change, or delete data; or create new accounts with full user rights. To exploit the vulnerability, however, an attacker must first compromise Remote Desktop Services and wait for a victim system to connect.
Most RDP vulnerabilities allow an attacker to compromise the server, then approach new victim machines using RDP, says Dana Baril, security software engineer at Microsoft. An example is
BlueKeep
, the critical remote code execution vulnerability that prompted Microsoft to issue patches for out-of-support Windows systems when it fixed the bug in June. BlueKeep could let unauthenticated attackers break into a server and abuse a bug in the server itself.
Most of the time people look for vulnerabilities in the server and try to expand from their computer to a new one on the network, Itkin explains. This flaw is different.
In this case, the victim machine is the one that initiated the connection, Baril continues. We have one compromised machine using lateral movement technique; this gets connections from victim machines and spreads the exploit.
Itkin was researching lateral movement attack vectors when he discovered the vulnerability. If we take over a single machine and ambush a single user or IT admin, we directly get privilege without moving around a network too much, he explains. This specific bug exists in the clipboard, particularly in the way it synchronizes communication between the client and server.
By default, when a host connects to a machine, the clipboard connects the client and server. When a client copies a file from the server, the server tells the client where to store them. If attackers have control over a single device, they can slow it down, post pop-up messages, or cause other distractions so the corporate user opens a ticket and says the machine isnt working.
Usually when you take over a machine you try to be stealth, says Itkin. But because an attacker wants the IT manager to remotely connect to their target using RDP, we make a lot of noise, and we make IT users to connect to a machine and check it out. When the client connects, the attacker could use the clipboard function to download and store malicious files.
Clipboards were designed to be used locally and therefore trusted, Baril adds. This vulnerability exposes machines to a clipboard they can no longer trust. Baril and Itkin will discuss the details of the vulnerability, and approach the attack from both offensive and defensive perspectives, in their upcoming Black Hat USA briefing,
He Said, She Said — Poisoned RDP Offense and Defense
.
Following his discovery, Itkin informed Microsoft and went through the coordinated vulnerability disclosure process. After Microsoft issued a patch, he continued to collaborate with the research team and later found the same bug was inherited by Hyper-V; the Hyper-V manager uses RPD under the hood to manage virtual machines. Both issues are now fixed.
While companies should install the patch to fully protect themselves, Baril notes this technique can be detected with internal Windows telemetry. This attack technique was very hard to detect using existing telemetry, she says, adding that normal detection wouldnt work because this behavior doesnt appear unusual to users. To help users before they install the patch, Microsoft created behavioral detection using Windows Event Log. Researchers used the clipboard and RDP events to generate detection logic that could detect this tactic in action so businesses will know if theyre targeted even if they havent yet applied the update.
Related Content:
How Capture the Flag Competitions Strengthen the Cybersecurity Workforce
The State of IT Operations and Cybersecurity Operations
Bluetooth Bug Enables Tracking on Windows 10, iOS & macOS Devices
The 10 Essentials of Infosec Forensics
Security Snapshot: OS, Authentication, Browser & Cloud Trends
 
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the 
conference
 and 
to register.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
RDP Bug Takes New Approach to Host Compromise