Microsoft Patches, Reverse RDP Attacks, and Third-Party Clients

In a reverse RDP attack, a path traversal vulnerability could be used to exploit vulnerable clients when they try to access a server over Microsoft’s RDP.

What is happening

  • Microsoft’s Remote Desktop Protocol (RDP) is a technology built into Windows systems that is plagued by several security flaws.
  • Although a prominent vulnerability (CVE-2019-0887) was patched in July 2019, it has been found that the researchers could still exploit it by replacing the backward slashes in paths with forward slashes. 
  • This exploit was acknowledged by Microsoft and fixed earlier this year. The vulnerability is now tracked as CVE-2020-0655. 

The situation

  • Researchers disclosed that the issue was resolved by adding a separate workaround in Windows while the root cause of the bypass issue was left unchanged.
  • Researchers claimed that the patch is not foolproof and does not guarantee the protection of third-party clients against the same attack.
  • When using the clipboard redirection feature while connected to a compromised RDP server, the server can use the shared RDP clipboard to send files to the client's computer and achieve remote code execution.

What the experts are saying

  • Check Point researchers have stated, “A remote malware-infected computer could take over any client that tries to connect to it”.
  • It has been discovered that apart from bypassing Microsoft’s patch, threat actors can bypass any canonicalization check that was carried out as per Microsoft’s best practices.

What you can do

  • Organizations that use Windows should install the February patch released by Microsoft to ensure that their RDP clients are protected from reverse RDP attacks.
  • Developers should be aware of the threat posed by the unchanged API PathCchCanonicalize and manually patch it.

Worth noting

  • This year has seen a tremendous surge in RDP attacks, with the onset of the COVID-19 pandemic, where one of the most commonly used application-level protocol is Microsoft’s proprietary RDP protocol.
  • The TrickBot malware upgraded itself by adding a feature - rdpScanDll - for brute-forcing RDP accounts.

In essence

It is yet unknown why the path-traversal bypass issue was not discovered for many years in Microsoft’s core path sanitation function. All RDP users are suggested to install Microsoft’s latest patch as the vulnerability can have severe implications.