Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/18/2019
03:50 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

RDP Bug Takes New Approach to Host Compromise

Researchers show how simply connecting to a rogue machine can silently compromise the host.

Most security professionals know they can use Microsoft's Remote Desktop Protocol (RDP) to connect to other machines but may not consider how merely using RDP could compromise one.

A recently discovered RDP vulnerability could silently compromise a host when it connects to a rogue machine, researchers report. CVE-2019-0887, discovered by Eyal Itkin, a vulnerability researcher with Check Point Software Technologies, was classified as Important and patched this month. Microsoft has not yet seen any evidence this flaw has been exploited in the wild.

The remote code execution bug is in Remote Desktop Services, formerly known as Terminal Services, when an authenticated attacker abuses clipboard redirection. A successful attacker could execute malicious code on a target system; install programs; view, change, or delete data; or create new accounts with full user rights. To exploit the vulnerability, however, an attacker must first compromise Remote Desktop Services and wait for a victim system to connect.

Most RDP vulnerabilities allow an attacker to compromise the server, then approach new victim machines using RDP, says Dana Baril, security software engineer at Microsoft. An example is BlueKeep, the critical remote code execution vulnerability that prompted Microsoft to issue patches for out-of-support Windows systems when it fixed the bug in June. BlueKeep could let unauthenticated attackers break into a server and abuse a bug in the server itself.

"Most of the time people look for vulnerabilities in the server and try to expand from their computer to a new one on the network," Itkin explains. This flaw is different.

"In this case, the victim machine is the one that initiated the connection," Baril continues. "We have one compromised machine using lateral movement technique; this gets connections from victim machines and spreads the exploit."

Itkin was researching lateral movement attack vectors when he discovered the vulnerability. "If we take over a single machine and ambush a single user or IT admin, we directly get privilege without moving around a network too much," he explains. This specific bug exists in the clipboard, particularly in the way it synchronizes communication between the client and server.

By default, when a host connects to a machine, the clipboard connects the client and server. When a client copies a file from the server, the server tells the client where to store them. If attackers have control over a single device, they can slow it down, post pop-up messages, or cause other distractions so the corporate user opens a ticket and says the machine isn't working.

"Usually when you take over a machine you try to be stealth," says Itkin. But because an attacker wants the IT manager to remotely connect to their target using RDP, "we make a lot of noise, and we make IT users to connect to a machine and check it out." When the client connects, the attacker could use the clipboard function to download and store malicious files.

Clipboards were designed to be used locally and therefore trusted, Baril adds. This vulnerability exposes machines to a clipboard they can no longer trust. Baril and Itkin will discuss the details of the vulnerability, and approach the attack from both offensive and defensive perspectives, in their upcoming Black Hat USA briefing, "He Said, She Said — Poisoned RDP Offense and Defense."

Following his discovery, Itkin informed Microsoft and went through the coordinated vulnerability disclosure process. After Microsoft issued a patch, he continued to collaborate with the research team and later found the same bug was inherited by Hyper-V; the Hyper-V manager uses RPD under the hood to manage virtual machines. Both issues are now fixed.

While companies should install the patch to fully protect themselves, Baril notes this technique can be detected with internal Windows telemetry. "This attack technique was very hard to detect using existing telemetry," she says, adding that normal detection wouldn't work because this behavior doesn't appear unusual to users. To help users before they install the patch, Microsoft created behavioral detection using Windows Event Log. Researchers used the clipboard and RDP events to generate detection logic that could detect this tactic in action so businesses will know if they're targeted even if they haven't yet applied the update.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/22/2019 | 11:59:46 PM
Re: nice post
Also, one thing about Hyper-V, if we apply the same rules to the Hyper-V environment, we can isolate Hyper-V's use to the localsubnet so no-one outside of the network could access those servers. It could be locked down even further using Encryption and Authentication.

Todd
miha12
50%
50%
miha12,
User Rank: Apprentice
7/20/2019 | 7:36:40 AM
nice post
Amazing work
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/19/2019 | 5:30:27 PM
Authenticated user, hard to defend against that
The remote code execution bug is in Remote Desktop Services, formerly known as Terminal Services, when an authenticated attacker abuses clipboard redirection.

We have identified ways to address this issue.
# Identify Administrators users
$users = New-Object -TypeName System.Security.Principal.NTAccount ("Administrators")

# Security Principles for users accessing systems
$SIDofSecureUserGroup = $users.Translate([System.Security.Principal.SecurityIdentifier]).Value

# Secure User Groups found in the Administrators Group
$SecureMachineGroupSDDL = "D:(A;;CC;;; $SIDofSecureUserGroup)"

# Remote Desktop DisplayName for individual rules
$rule = (Get-NetFirewallRule -DisplayName "Remote Desktop*").DisplayName
    foreach ($i in $rule) {
        Set-NetFirewallRule -DisplayName $i -Profile "Private"
    }

# Set Remote Desktop, add Builtin\Administrators groups to the filter
$nfSecurityFilter = Get-NetFirewallRule -DisplayName "Remote Desktop*" | Get-NetFirewallSecurityFilter

# Set NetFirewallSecurity Filter Settings for Authorized Users, login required for local users
Set-NetFirewallSecurityFilter -RemoteMachine $SecureMachineGroupSDDL -InputObject $nfSecurityFilter -Authentication Required -Encryption Required

#This cmdlet can be run using only the pipeline.
foreach ($i in $rule) {
    Get-NetFirewallRule -DisplayName $i | Get-NetFirewallSecurityFilter | Set-NetFirewallSecurityFilter -RemoteMachine $SecureMachineGroupSDDL -Authentication Required -Encryption Required
}

#Looks for Remote Desktop rule, then sends the results to a file on your desktop call fwrules.txt (append)

Get-NetFirewallRule -DisplayName "Remote Desktop*" | out-file $env:USERPROFILE\desktop\fwrules.txt -Append
Get-NetFirewallRule -DisplayName "Remote Desktop*" | Get-NetFirewallSecurityFilter | out-file $env:USERPROFILE\desktop\fwfilter.txt -Append

We have implemented this fix on our site, maybe someone from the various teams could utilize this code to ensure RDP is not compomised.

Todd
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8105
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8106
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8058
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an use after free vulnerability. Successful exploitation coul...