Check Point Research shows that users are fairly blasé about connecting to Remote Desktop Protocol clients. However, a vulnerability in an RDP could give bad actors the means to connect to the client. By exploiting one of the newly discovered flaws, an attacker can branch out from the RDP and control an entire local network. In its research, Check Point found 16 major vulnerability from 25 security issues. These flaws were observed in the open source FreeRDP client and rdesktop. More worryingly, some vulnerabilities were also found in Microsoft’s own RDP technology. According to the researchers, bad actors can use the following two scenarios to gain system access through RDP: “1. Attacking an IT member that connects to an infected work station inside the corporate network, thus gaining higher permission levels and greater access to the network systems. 2. Attacking a malware researcher that connects to a remote sandboxed virtual machine that contains a tested malware. This allows the malware to escape the sandbox and infiltrate the corporate network.”
Microsoft Remote Desktop Connection
In terms of Microsoft’s RDP client, Check Point studied the company’s Mstsc.exe Build 18252.rs_prerelease.180928.1410. For general users, the RDP is typically known as Microsoft Remote Desktop Connection.
The team found Remote Desktop was generally much more secure than some open source counterparts. Indeed, the service swatted away vulnerabilities created as proof-of-concepts (PoCs) by Check Point. Microsoft has integrated strong input and decompression checks to protect bytes sent through the client connection. Still, the team did find a vulnerability in Microsoft’s tool, specifically a path traversal that impacted the clipboard shared between client and server: “If the client fails to properly canonicalize and sanitize the file paths it receives, it could be vulnerable to a path-traversal attack, allowing the server to drop arbitrary files in arbitrary paths on the client’s computer, a very strong attack primitive.” This vulnerability could be exploited in Remote Desktop Connection to give bad actors the ability to send malicious scripts or programs to the Startup folder on a Windows PC. When the machine reboots next time, it would automatically execute the malicious content (see video above). Check Point sent the information to Microsoft and the company says: “We determined your finding is valid but does not meet our bar for servicing. For more information, please see the Microsoft Security Servicing Criteria for Windows (https://aka.ms/windowscriteria).” In other words, Microsoft did not ID the vulnerability with a CVE number and has not sent out a patch to fix it.