He Said, She Said – Poisoned RDP Offense and Defense

Conference:  BlackHat USA 2019



The presentation discusses a vulnerability in the RDP clipboard that allows attackers to drop malicious files on a victim's machine. The vulnerability was fixed in a patch released in July 2019.
  • The RDP clipboard was not designed to be trusted and was introduced as a feature for sharing between multiple machines
  • Attackers can use Windows telemetry to cover their tracks after performing malicious activity
  • Cross-community collaboration is important for finding and fixing vulnerabilities
The presenter shared that they were able to detect the malicious behavior of dropping files in the startup folder by using anomaly detection based on file creation events. They also mentioned that the vulnerability was fixed in a patch released in July 2019, which included a new method for verifying file paths before pasting operations.


It's safe to assume that many people reading this text have heard of using the Remote Desktop Protocol (RDP) to connect to other machines. But has anyone ever considered that merely using RDP can compromise their own computer? In this talk, we will not be covering a typical RDP vulnerability where a server is attacked - instead, we will show that just by connecting to a rogue machine, your own host can be reliably and silently compromised. Although there are numerous vulnerabilities in popular open source RDP clients, this talk heads straight for the crown jewel: the Microsoft Terminal Services Client, or MSTSC.EXE. Together, we will take a deep dive into the main synchronized resource between the client and the server: the clipboard. At the end of this journey, we will discover an inherent design problem with this resource synchronization, a design problem also inherited by Hyper-V. For attackers, this design flaw enables new ways of escaping the sandbox. For defenders, there is a way to fight back. With the right optics, this technique can be detected using internal Windows telemetry. In this collaborative talk, researchers from Check Point and Microsoft share the inside story of the attack from both the offensive and defensive perspectives.