logo
allArticlesConferencesPresentations

He Said, She Said – Poisoned RDP Offense and Defense

Conference:  BlackHat USA 2019

2019-08-07

Summary

The presentation discusses a vulnerability in the RDP clipboard that allows attackers to drop malicious files on a victim's machine. The vulnerability was fixed in a patch released in July 2019.
  • The RDP clipboard was not designed to be trusted and was introduced as a feature for sharing between multiple machines
  • Attackers can use Windows telemetry to cover their tracks after performing malicious activity
  • Cross-community collaboration is important for finding and fixing vulnerabilities
The presenter shared that they were able to detect the malicious behavior of dropping files in the startup folder by using anomaly detection based on file creation events. They also mentioned that the vulnerability was fixed in a patch released in July 2019, which included a new method for verifying file paths before pasting operations.

Abstract

It's safe to assume that many people reading this text have heard of using the Remote Desktop Protocol (RDP) to connect to other machines. But has anyone ever considered that merely using RDP can compromise their own computer? In this talk, we will not be covering a typical RDP vulnerability where a server is attacked - instead, we will show that just by connecting to a rogue machine, your own host can be reliably and silently compromised. Although there are numerous vulnerabilities in popular open source RDP clients, this talk heads straight for the crown jewel: the Microsoft Terminal Services Client, or MSTSC.EXE. Together, we will take a deep dive into the main synchronized resource between the client and the server: the clipboard. At the end of this journey, we will discover an inherent design problem with this resource synchronization, a design problem also inherited by Hyper-V. For attackers, this design flaw enables new ways of escaping the sandbox. For defenders, there is a way to fight back. With the right optics, this technique can be detected using internal Windows telemetry. In this collaborative talk, researchers from Check Point and Microsoft share the inside story of the attack from both the offensive and defensive perspectives.
Materials:
Slides
Paper
Tags:

Post a comment

Related work

Fuzzing and Exploiting Virtual Channels in Microsoft Remote Desktop Protocol for Fun and Profit

Conference:  BlackHat EU 2019
Authors:
2019-12-04

Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS

Conference:  Black Hat USA 2022
Authors:
2022-08-10

SELECT code_execution FROM * USING SQLite;—Gaining code execution using a malicious SQLite database

Conference:  Defcon 27
Authors:
2019-08-01

ProxyLogon is Just the Tip of the Iceberg: A New Attack Surface on Microsoft Exchange Server!

Conference:  BlackHat USA 2021
Authors:
2021-08-05

Hardening Hyper-V through Offensive Security Research

Conference:  BlackHat USA 2018
Authors:
2018-08-09

ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Microsoft Exchange Server!

Conference:  Defcon 29
Authors:
2021-08-01