Popular RDP client vulnerabilities allows a remote system to be compromised
By Alfred Vergara on February 14, 2019
On February 5, 2019 researchers at Check Point Research disclosed 25 vulnerabilities in 3 popular Remote Desktop Protocol (RDP) clients: mstsc.exe, FreeRDP, and rdesktop. These vulnerabilities allowed for compromise of a RDP client through a malicious RDP server, including remote code execution and compromising the client’s copy/paste clipboard.
Disclaimer: This report is a synthesis of the report given by Check Point Research, in more detail, here:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/
What is RDP?
RDP is a protocol developed by Microsoft that allows for a RDP server to share its desktop over the Internet to a RDP client. RDP allows for the remote access of a client to a server workstation. This can be used by system and network administrators to troubleshoot remote computers through remote control via RDP. Best practices in the past have been for users to disable RDP on the protocol level (where RDP listens on port 3389 by default). However, the vulnerabilities discovered by Check Point Research compromises the client; this can mean a possible compromise of an Information Technology (IT) member who accesses a compromised RDP server for troubleshooting.
There are many RDP clients (which were investigated) including:
- FreeRDP – Popular open-source RDP client
- Rdesktop – Open-source RDP client, comes with Kali-linux
- mstsc.exe – Microsoft’s built-in RDP client
The Vulnerabilities
Check Point Research found 25 vulnerabilities through code auditing, but decided to focus on the common vulnerability between the two open-source clients in the form of remote code execution through buffer overflows.
Remote code execution
Remote code execution was possible in both rdesktop and FreeRDP through Integer-Overflows in similar places of code. The below code snippets from Check Point Research showcase the lack of checks in the code for the proper size of arguments, allowing for an attacker to execute code through a buffer overflow.
From Check Point Research: no checks verifying byte size of ‘length’ and ‘flags’
From Check Point Research: pkglen variable affected by underflowed ‘length’ and ‘flags’
Using a combination of the Common Vulnerabilities and Exposures (CVE) detailed in CVEs 2018-20179 and 2018-20181, which are detailed above, a malicious RDP server can execute code on a client. This is done by creating an Integer-underflow in the pkglen variable. An Integer-underflow, similar to a Integer-overflow, occurs when a variable is smaller than the smallest allowable integer. To represent this value takes a lot of memory, so much so that it overflows from past the allocated and expected area and may execute code past the buffer.
From Check Point Research: Integer-overflow found in bitmap updates in bmpdata variable
From Check Point Research: the same vulnerability in rdesktop found in FreeRDP; CVE 2018-8787
Clipboard path traversal
On the side of Microsoft, there is a feature that allows for a client to copy a file and paste it onto his/her desktop. Microsoft’s RDP client does not sanitize the file path that it receives from the copy/pasting functionality, which allows for a malicious file when copied from the compromised server to perform a directory traversal attack on the client to insert files in any path on the client, including malicious scripts to the client’s startup folder.
Impact
Check Point Research discovered the vulnerabilities found in FreeRDP and rdesktop and reported them on October 22, 2018 and October 28, 2018 respectively. The vulnerabilities were found through a code audit. Since these clients are open-source, this means that the source code is free for all to read, and free to change by the community. It is possible for a malicious user to have seen these vulnerabilities before Check Point Research and have used these vulnerabilities to compromise the two open-source RDP clients.
FreeRDP has 225 contributors on its GitHub. Assuming that contributors and developers are likely to be IT employees, and would have used RDP as a client, there are at least 225 users who could have been vulnerable to this attack. By compromising an IT user’s workstation through these vulnerabilities, a malicious person could pivot to the rest of the network with increased privileges–possibly affecting whole networks, until it was patched by FreeRDP on November 20, 2018 and rdesktop on January 16, 2019.
The RDP client vulnerabilities have shown that even previously known to be secure connections can be compromised. An IT professional who is accessing a compromised system remotely from one of the RDP clients can be attacked with the methods mentioned above. Display, user interface, and keyboard and mouse inputs are not the only thing transmitted over RDP, which means IT professionals who are troubleshooting systems remotely must diligent and security and perhaps consider using a virtual machine for RDP sessions.
Mitigation
The latest patches of FreeRDP and rdesktop have implemented fixes to the variety of vulnerabilities found in Check Point Research’s report and detailed in the CVEs reported in their study. Microsoft has not patched the issues found in their RDP client. To prevent the issue, disable copy/pasting over RDP.
As a developer, it is important to design and code with security in mind. This can be done through following secure coding practices; one of which is detailed by the Open Web Application Security Project (OWASP) which has a set of guidelines and instructions for developers to be aware of when developing software.
Sources
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/
https://docs.microsoft.com/en-us/windows/desktop/TermServ/remote-desktop-protocol
https://support.microsoft.com/en-us/help/186607/understanding-the-remote-desktop-protocol-rdp
https://cwe.mitre.org/data/definitions/191.html