Reverse RDP Attack—wherein a client system vulnerable to a path traversal vulnerability could get compromised when remotely accessing a server over Microsoft’s Remote Desktop Protocol, Microsoft though had patched the vulnerability (CVE-2019-0887) as part of its July 2019 Patch Tuesday update, it turns out researchers were able to bypass the patch just by replacing the backward slashes in paths with forward slashes.
Microsoft acknowledged the improper fix and re-patched the flaw in its February 2020 Patch Tuesday update earlier this year, now tracked as CVE-2020-0655.
In the latest report shared with The Hacker News, Check Point researcher disclosed that Microsoft addressed the issue by adding a separate workaround in Windows while leaving the root of the bypass issue, an API function “PathCchCanonicalize,” unchanged.
Apparently, the workaround works fine for the built-in RDP client in Windows operating systems, but the patch is not fool-proof enough to protect other third-party RDP clients against the same attack that relies on the vulnerable sanitization function developed by Microsoft.
“We found that not only can an attacker bypass Microsoft’s patch, but they can bypass any canonicalization check that was done according to Microsoft’s best practices,” Check Point researcher Eyal Itkin said in a report shared with The Hacker News.
For those unaware, path traversal attacks occur when a program that accepts a file as input fails to verify it, allowing an attacker to save the file in any chosen location on the target system, and thus exposing the contents of files outside of the root directory of the application.
“A remote malware-infected computer could take over any client that tries to connect to it. For example, if an IT staff member tried to connect to a remote corporate computer that was infected by malware, the malware would be able to attack the IT staff member’s computer as well,” the researchers described.
The flaw came to light last year, and a subsequent research in August found that it impacted Microsoft’s Hyper-V hardware virtualization platform as well.
Here’s a demonstration video on the original vulnerability from the last year:
Video Source Official Check Point YouTube channel: https://www.youtube.com/watch?v=F70FGv_QxDY
An Improperly Patched Path Traversal Flaw
According to researchers, the July patch can be bypassed because of a problem that lies in its path canonicalization function “PathCchCanonicalize,” which is used to sanitize file paths, thus allowing a bad actor to exploit the clipboard synchronization between a client and a server to drop arbitrary files in arbitrary paths on the client machine.
In other words, when using the clipboard redirection feature while connected to a compromised RDP server, the server can use the shared RDP clipboard to send files to the client’s computer and achieve remote code execution.
Although Check Point researchers originally confirmed that “the fix matches our initial expectations,” it appears there’s more to it than meets the eye: the patch can be simply bypassed by replacing backward slashes (e.g., file\to\location) in paths with forward slashes (e.g., file/to/location), which traditionally act as path separators in Unix-based systems.
“It seems that PathCchCanonicalize, the function that is mentioned in Windows’s best practice guide on how to canonicalize a hostile path, ignored the forward-slash characters,” Itkin said. “We verified this behavior by reverse-engineering Microsoft’s implementation of the function, seeing that it splits the path to parts by searching only for ‘\’ and ignoring ‘/.'”
The cybersecurity firm said it found the flaw when trying to examine Microsoft’s Remote Desktop client for Mac, an RDP client that was left out from their initial analysis last year. Interestingly, the macOS RDP client in itself isn’t vulnerable to CVE-2019-0887.
With the main vulnerability still not rectified, Check Point cautioned that the implications of a simple bypass to a core Windows path sanitation function pose a serious risk to many other software products that could potentially be affected.
“Microsoft neglected to fix the vulnerability in their official API, and so all programs that were written according to Microsoft’s best practices will still be vulnerable to a Path-Traversal attack,” Check Point’s Omri Herscovici said. “We want developers to be aware of this threat so that they could go over their programs and manually apply a patch against it.”
The information contained in this website is for general information purposes only. The information is gathered from The Hacker News, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.