Flaws in Popular RDP Clients Allow Malicious Servers to Reverse Hack PCs

Flaws in Popular RDP Clients Allow Malicious Servers to Reverse Hack PCs

remote desktop protocol hacking
You've always been warned not to share remote access to your computer with any untrusted people for many reasons—it's basic cyber security advice, and common sense, right?

But what if I say, you should not even trust anyone who invites or offers you full remote access to their computers?

Security researchers at cybersecurity firm Check Point have discovered more than two dozen vulnerabilities in both open-source RDP clients and Microsoft's own proprietary client that could allow a malicious RDP server to compromise a client computer, reversely.

RDP, or Remote Desktop Protocol, allows users to connect to remote computers. The protocol is usually used by technical users and IT administrators to remotely connect to other devices on the network.

RDP was initially developed by Microsoft for its Windows operating system, but there are several open source clients for the RDP protocol that can be used on Linux as well as Unix systems.

Check Point researchers recently conducted a detailed analysis of three popular and most commonly used RDP clients—FreeRDP, rdesktop, and Windows built-in RDP client—and identified a total of 25 security flaws, some of which could even allow a malicious RDP server to remotely take control of computers running the client RDP software.

FreeRDP, the most popular and mature open-source RDP client on Github, has been found vulnerable to six vulnerabilities, five of which are major memory corruption issues that could even result in remote code execution on the client's computer.
rdesktop, an older open-source RDP client that comes by default in Kali Linux distributions, has been found to be the most vulnerable RDP client with a total of 19 vulnerabilities, 11 of which could allow a malicious RDP server to execute arbitrary code on the client's computer.

Though Windows built-in RDP client does not contain any remote code execution flaw, researchers discovered some interesting attack scenarios that are possible because the client and the server share the clipboard data, allowing the client to access and modify clipboard data on the server end and vice-versa.
"A malicious RDP server can eavesdrop on the client's clipboard—this is a feature, not a bug. For example, the client locally copies an admin password, and now the server has it too," researchers say while explaining the first attack scenario.
"A malicious RDP server can modify any clipboard content used by the client, even if the client does not issue a 'copy' operation inside the RDP window. If you click 'paste' when an RDP connection is open, you are vulnerable to this kind of attack," reads the second attack scenario.
What's more? In another video, researchers demonstrated how the clipboard attack using Microsoft's RDP software could even allow malicious RDP server to trick client system into saving a malware file in Windows' startup folder, which will automatically get executed every time the system boots.

Researchers reported the vulnerabilities to the developers of the impacted RDP clients in October 2018.
FreeRDP patched the flaws as part of its v2.0.0-rc4 release and rolled out the software release to its GitHub repository less than a month after being notified.

Rdesktop patched the issues as part of its v1.8.4 release and rolled out the fix in mid-January.
Microsoft acknowledged the researchers' findings but decided not to address the issues. The tech giant said: "We determined your finding is valid but does not meet our bar for servicing. For more information, please see the Microsoft Security Servicing Criteria for Windows (https://aka.ms/windowscriteria)."
However, Windows RDP client users can protect themselves against the attacks demonstrated by the researchers by merely disabling the clipboard-sharing feature, which comes enabled by default, when connecting to a remote machine.

Comments