Reverse RDP Attack Also Enables Guest-to-Host Escape in Microsoft Hyper-V

Posted by & filed under Security Alerts.

Earlier this year, researchers disclosed clipboard hijacking and path-traversal issues in Microsoft’s Windows built-in RDP client that could allow a malicious RDP server to compromise a client computer, reversely.

At the time when researchers responsibly reported this path-traversal issue to Microsoft, in October 2018, the company acknowledged the issue but decided not to address it.

Now, it turns out that Microsoft silently patched this vulnerability (CVE-2019-0887) just last month as part of its July Patch Tuesday updates after Eyal Itkin, security researcher at CheckPoint, found the same issue affecting Microsoft’s Hyper-V technology as well.

Microsoft’s Hyper-V is a virtualization technology that comes built-in with Windows operating system, enabling users to run multiple operating systems at the same time as virtual machines. Microsoft’s Azure cloud service also uses Hyper-V for server virtualization.

Similar to other virtualization technologies, Hyper-V also comes with a graphical user interface that allows users to manage their local and remote virtual machines (VMs).

 

Video Demo: Remote Desktop Protocol Vulnerability Demo – Paste-Only Attack On Hyper-V Windows RDP
Source: Check Point Software Technologies Official YouTube Channel.

 

According to a report CheckPoint researchers shared with The Hacker News, the Enhanced Session Mode in Microsoft’s Hyper-V Manager, behind the scenes, uses the same implementation as of Windows Remote Desktop Services to let the host machine connect to a guest virtual machine and share synchronized resources like clipboard data.

“It turns out that RDP is used behind the scenes as the control plane for Hyper-V. Instead of re-implementing screen-sharing, remote keyboard, and a synchronized clipboard, Microsoft decided that all of these features are already implemented as part of RDP, so why not use it in this case as well?” researchers say.

This means, Hyper-V Manager eventually inherits all of the security vulnerabilities reside in Windows RDP, including the clipboard hijacking and path-traversal vulnerabilities that could lead to guest-to-host VM escape attack, “effectively allowing one to break out of a Virtual Machine and reach the hosting machine, virtually breaking the strongest security mitigation provided by the virtualization environment.”

As demonstrated previously, the flaws could allow a malicious or a compromised guest machine to trick the host user into unknowingly saving a malicious file in his/her Windows startup folder, which will automatically get executed every time the system boots.

“A malicious RDP server can send a crafted file transfer clipboard content that will cause a Path-Traversal on the client’s machine,” researchers explain.

Unlike previously, this time, Microsoft decided to patch the vulnerability immediately after the researchers disclosed the Hyper-V implications of this flaw, which is now identified as CVE-2019-0887.

“A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an authenticated attacker abuses clipboard redirection,” Microsoft said while explaining the vulnerability in its security advisory.

 

“An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The researchers tested and confirmed the patch for the Path-Traversal vulnerability and strongly recommended all users to install the security patch in an attempt to protect their RDP connections as well as their Hyper-V environment.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.