RIP, RDP... nearly: Security house Check Point punches holes in remote desktop tools
25 bugs, three Windows and Linux clients – endless pwnage
Security biz Check Point has found some 25 security vulnerabilities in three of the most popular remote desktop protocol (RDP) tools for Windows and Linux.
The infosec outfit tasked its bug-hunters with a manual code audit on Microsoft mstsc as well as the FreeRDP and rdesktop remote desktop utilities, and what they turned up was a glut of potentially serious flaws and security weaknesses.
Of the 25 CVE-listed vulnerabilities included in Check Point's report on its findings, 15 could be potentially exploited to achieve remote code execution. For what it's worth, Check Point focused its effort on attacks that flowed from the server to the client.
The idea of the study, Check Point said, was to look at the ways someone trying to connect to a machine, such as an admin or tech support staff, could actually be compromised by the box they wanted to remotely access.
"In a normal scenario, you use an RDP client, and connect to a remote RDP server that is installed on the remote computer. After a successful connection, you now have access to and control of the remote computer, according to the permissions of your user," Check Point's Eyal Itkin said.
"But if the scenario could be put in reverse? We wanted to investigate if the RDP server can attack and gain control over the computer of the connected RDP client."
As it turns out, there are more than a few ways the RDP server could be used to attack the remote user. The researchers found that many of the channels used to exchange data between the two points do not properly check for the length of packets being sent, potentially allowing the server to throw malformed packets at the client to trigger out-of-bounds read errors and integer overflows that would potentially set up remote code execution attacks.
Another particularly vulnerable point of attack was the way both the client and server shared data through a common clipboard. Because, again, the data traffic over this channel is not properly sanitized, the shared clipboard would allow for data path traversal attacks or information disclosure caused by the server peeking into the activity of the client's local clipboard.
A malicious RDP server can modify any clipboard content used by the client, worryingly, even if the client does not issue a "copy" operation inside the RDP window. "If you click 'paste' when an RDP connection is open, you are vulnerable to this kind of attack," noted Check Point's Itkin.
"For example, if you copy a file on your computer, the server can modify your (executable?) file / piggyback your copy to add additional files / path-traversal files using the previously shown PoC," it added.
In total, the manual source code review led to the assignment of 19 CVE-listed vulnerabilities in rdesktop, and six in FreeRDP. To secure yourself against exploitation: rdesktop is, we're told, fixed as of version 1.8.4, and FreeRDP as of version 2.0.0-rc4, so make sure you're running those builds or later.
The findings for Microsoft's closed-source RDP client were a bit more murky. Though Check Point found Windows RDP to be vulnerable to the above-mentioned clipboard issues, the security house said Redmond did not see it as serious enough to merit a CVE or security patch assignment.
Stealing, scamming, bluffing: El Reg rides along with pen-testing 'red team hackers'READ MORE
Regardless, what Check Point ultimately concluded was that there is nonetheless real potential for RDP to be abused by an attacker posing as a remote user or employee who might then compromise an admin simply by requesting an RDP service. It also mused that it could be used by criminals to fight back against malware researchers who use RDP to connect to virtual machines for analysis.
On a lighter note, Check Point also suggested that the bugs could allow for a bit of mischief between security teams.
rdesktop is the built-in client in Kali Linux, a Linux distro used by red teams for penetration testing, we thought of a 3rd (though probably not practical) attack scenario," Itkin's report stated. "Blue teams can install organizational honeypots and attack red teams that try to connect to them through the RDP protocol." ®