A improper Microsoft patch for Reverse RDP attacks leaves 3rd-Party RDP clients vulnerable. Read on to know more…
This year has seen a tremendous surge in RDP attacks, with the onset of the COVID-19 pandemic, where one of the most commonly used application-level protocol is Microsoft’s proprietary RDP protocol. A improper Microsoft patch for Reverse RDP attacks leaves 3rd-Party RDP clients vulnerable. Microsoft’s Remote Desktop Protocol (RDP) is a technology built into Windows systems that is plagued by several security flaws. In a reverse RDP attack, a path traversal vulnerability could be used to exploit vulnerable clients when they try to access a server over Microsoft’s RDP. The flaw came to light last year, and a subsequent research in August found that it impacted Microsoft’s Hyper-V hardware virtualization platform as well.
Although a prominent vulnerability (CVE-2019-0887) was patched in July 2019, it has been found that the researchers could still exploit it by replacing the backward slashes in paths with forward slashes. This exploit was acknowledged by Microsoft and fixed earlier this year. The vulnerability is now tracked as CVE-2020-0655
Researchers disclosed that the issue was resolved by adding a separate workaround in Windows while the root cause of the bypass issue was left unchanged. Researchers claimed that the patch is not foolproof and does not guarantee the protection of third-party clients against the same attack. When using the clipboard redirection feature while connected to a compromised RDP server, the server can use the shared RDP clipboard to send files to the client’s computer and achieve remote code execution.
Check Point researchers have stated, “A remote malware-infected computer could take over any client that tries to connect to it”. It has been discovered that apart from bypassing Microsoft’s patch, threat actors can bypass any canonicalization check that was carried out as per Microsoft’s best practices.
Apparently Microsoft’s solution for the RDP client integrated in Windows works quite well. But the patch is not foolproof enough to protect other third-party RDP clients from the same attack. Once they use the API feature, the system is vulnerable.
Organizations that use Windows should install the February patch released by Microsoft to ensure that their RDP clients are protected from reverse RDP attacks. Developers should be aware of the threat posed by the unchanged API PathCchCanonicalize and manually patch it.
It is yet unknown why the path-traversal bypass issue was not discovered for many years in Microsoft’s core path sanitation function. All RDP users are suggested to install Microsoft’s latest patch as the vulnerability can have severe implications.