REWTERZ THREAT ALERT -Reverse RDP Attacks by Major Protocol Issues

February 6, 2019

SEVERITY: Medium

CATEGORY: Vulnerability

Analysis Summary

A total of 25 security ﬂaws are discovered in the popular implementations of the Remote Desktop Protocol (RDP) which can allow bad actors to take control of computers connecting to a malicious server using remote code execution and memory corruption. The ﬂaws allow a malicious actor to reverse the usual direction of communication and infect the IT professional or security researcher’s computer. Such an infection could then allow for an intrusion into the IT/local network as a whole.

16 major vulnerabilities are in the open source FreeRDP RDP client and its fork rdesktop, as well as in Microsoft’s own RDP client implementation. Open source xrdp RDP server is partially based on rdesktop and hence is vulnerable to the same vulnerabilities.

1.8.3 version of the rdesktop RDP client contains 11 vulnerabilities with a major security impact, and 19 vulnerabilities overall in the library. FreeRDP 2.0.0-rc3 contains ﬁve vulnerabilities with major security impact and six vulnerabilities overall in the library. (The RDP client NeutrinoRDP is a fork of an older version (1.0.1) of ‘FreeRDP’ and therefore probably suﬀers from the same vulnerabilities.)

RDP Clients may also be vulnerable to a path-traversal attack, allowing the server to drop arbitrary ﬁles in arbitrary paths on the client’s computer.

Impact

Memory Corruption
Code Execution
System Access
Network-wide infection

Aﬀected Products

mstsc.exe
FreeRDP
rdesktop

Remediation

If you are using rdesktop or FreeRDP, update to the latest version which includes the relevant patches.
When using Microsoft RDP client (MSTSC), we strongly recommend disabling bi-directional clipboard sharing over RDP.
Apply security measures to both the clients and the servers involved in the RDP communication.
Users should avoid using RDP to connect to remote servers that have not implemented suﬃcient security measures.