Security researchers at Check Point have identified a sweeping array of vulnerabilities in Remote Desktop Protocol (RDP) clients for Windows, Linux and Mac.

The NASDAQ-listed cybersecurity company’s team found 25 RDP security vulnerabilities in total; 16 of them identified as major vulnerabilities.

RDP is commonly used by technical users and IT staff to connect to / work on a remote computer. It is a proprietary protocol developed by Microsoft.

Check Point tested both open-source clients for the RDP protocol – mainly used by Linux and Mac users – and Microsoft’s own client. It found serious vulnerabilities in all of them, even if the latter took significantly more work to identify.

Check Point’s Eyal Itkin tested the following for vulnerabilities:

  • mstc.exe – Microsoft’s built-in RDP client.
  • FreeRDP – The most popular and mature open-source RDP client on Github.
  • rdesktop – Older open-source RDP client, available by default in Kali-linux distros.

His team was looking for ways in which the end-user’s machine could be used to move higher up an organisation’s food chain, securing elevated network permissions that allow increased lateral movement inside the target’s infrastructure.

Check Point’s examples included: “1) Attacking an IT member that connects to an infected work station inside the corporate network, thus gaining higher permission levels and greater access to the network systems and 2) Attacking a malware researcher that connects to a remote sandboxed virtual machine that contains a tested malware. This allows the malware to escape the sandbox and infiltrate the corporate network.”

Fifteen of the vulnerabilities would potentially allow for remote code execution attacks. Check Point said. While the open source clients have issued patches, Microsoft issues a response eight weeks after the submission saying it would not be patching the vuln as while it was determined to be “valid” it “does not meet our bar for servicing.”

As a result, the path traversal has no CVE-ID, and there is no patch to address it.

Remote Desktop Protocol Exploits: Naughty Clipboard

Check Point (using IDA to reverse engineer Microsoft’s RDP client). found that if a client uses the “Copy & Paste” feature over an RDP connection, a malicious RDP server can transparently drop arbitrary files to arbitrary file locations on the client’s computer, limited only by the permissions of the client.

“For example, we can drop malicious scripts to the client’s “Startup” folder, and after a reboot they will be executed on his computer, giving us full control”, they said.

“In our exploit, we simply killed rdpclip.exe, and spawned our own process to perform the path traversal attack by adding additional malicious file to every “Copy & Paste” operation. The attack was performed with “user” permissions, and does not require the attacker to have “system” or any other elevated permission.”

In short, the client and server share data through a common clipboard, but as the data traffic over this channel is not properly sanitised, it can be exploited.

The team found vulnerabilities in the open source clients using “old-fashioned manual code audits” rather than any fuzzing technique. (Fuzzing involves automatically throwing a lot of data at a target and seeing how it reacts. When it crashes, analysis of why sometimes reveals vulnerabilities that can be exploited by malicious third-parties).

The code in Microsoft’s Remote Desktop Protocol client was better by “several orders of magnitude” Check Point noted, with “several optimization layers for efficient network streaming of the received video, robust input checks and robust decompression checks, to guarantee that no byte will be written past the destination buffer.” As a result it had to turn to more sophisticated mechanisms to identify the weakness.

For a detailed look at its approach, the company published this analysis. As RDP is regularly used by IT staff and technical workers to connect to remote computers, Check Point highly recommends that everyone patch their RDP clients.

“In addition, due to the nature of the clipboard findings we showed in Microsoft’s RDP client, we recommend users to disable the clipboard sharing channel (on by default) when connecting to a remote machine.”

See also: The NSA to Release a Free Software Reverse Engineering Toolkit