Apache Guacamole Opens Door for Total Control of Remote Footprint

apache guacamole security bugs

Several vulnerabilities can be chained together for a full exploit.

Apache Guacamole, a popular infrastructure for enabling remote working, is vulnerable to a slew of security bugs related to the Remote Desktop Protocol (RDP), researchers have warned. Admins should update their systems to avoid attacks bent on stealing information or remote code-execution.

“Once in control of the gateway, an attacker can eavesdrop on all incoming sessions, record all the credentials used, and even start new sessions to control the rest of the computers within the organization,” explained Eyal Itkin, researcher from Check Point, in a posting on Thursday. “When most of the organization is working remotely, this foothold is equivalent to gaining full control over the entire organizational network.”

Apache Guacamole has more than 10 million Docker downloads globally, and is also embedded into other products like Jumpserver Fortress, Quali and Fortigate. Guacamole gateways essentially secure and handle connections from users coming from outside the corporate perimeter.

“In essence, an employee uses a browser to connect to his company’s internet-facing server, goes through an authentication process, and gets access to his corporate computer,” said Itkin. “While the employee only uses his browser, the Guacamole server selects one of the supported protocols (RDP, VNC, SSH, etc.) and uses an open-source client to connect to the specific corporate computer. Once connected, the Guacamole server acts as a middle-man that relays the events back and forth while translating them from the chosen protocol to the special ‘Guacamole Protocol’ and vice versa.”

The vulnerabilities allow an on-network attacker to compromise a gateway, and then intercept and control all of the sessions that connect to it.

“This [COVID-19-related] transition from onsite to off-premise work means that IT solutions for remotely connecting to the corporate network are now used more than ever,” Itkin added. “This also means that any security vulnerability in these solutions will have a much greater impact, as companies rely on this technology to keep their businesses functioning.”

Apache Guacamole is vulnerable to several critical bugs inside its own infrastructure, along with other vulnerabilities found in FreeRDP, according to Check Point.

Attack Scenarios and Bugs

There are two different attack scenarios, the researcher explained: In a reverse attack, a compromised machine inside the corporate network leverages the incoming benign connection to attack the gateway, aiming to take it over. And in the malicious worker scenario, a rogue employee uses a computer inside the network to leverage his hold on both ends of the connection and take control of the gateway.

To enable either of these, an exploit chain using information-disclosure bugs, a memory-corruption issue and privilege exploitation is necessary – which Check Point has demonstrated in a video.

“[There is a] high probability that most companies haven’t yet upgraded to the latest versions, and could already be attacked using these known 1-Days,” Itkin warned.

The flaw tracked as CVE-2020-9497 enables information disclosure.

“To relay the messages between the RDP connection and the client, the developers implemented their own extension for the default RDP channels,” according to the writeup. “One such channel is responsible for the audio from the server, hence unsurprisingly called rdpsnd (RDP Sound).”

By sending a malicious rdpsnd channel message, a malicious RDP server could cause the client to think that the packet contains a huge amount of bytes, which are in fact memory bytes of the client itself, Itkin added: “This in turn causes the client to send back a response to the server with these bytes, and grant the RDP server a massive, heartbleed-style, information-disclosure primitive.”

Another information-disclosure bug, also covered under CVE-2020-9497, is similar, but the flaw sends the out-of-bounds data to the connected client, instead of back to the RDP server.

“We were intrigued to find an additional channel, guacai, responsible for sound messages,” according to Itkin. “This channel is responsible for the audio input, hence the name guacai. Although vulnerable to roughly the same vulnerability as the previous channel, this channel is disabled by default.”

The analysis also uncovered CVE-2020-9498, a memory-corruption issue allowing RCE.

“The RDP protocol exposes different ‘devices’ as separate ‘channels,’ one for each device. These include the rdpsnd channel for the sound, cliprdr for the clipboard, and so on,” according to the analysis. “As an abstraction layer, the channel messages support a fragmentation that allows their messages to be up to 4GB long.”

The first fragment in any message must contain the CHANNEL_FLAG_FIRST fragment, which allocates the right-sized stream (known as wStream) to accommodate the overall declared length of the total message.

“However, what happens if an attacker sends a fragment without this flag? It seems that it is simply appended to the previous leftover stream,” Itkin explained. “After a fragmented message finishes the reassembly and goes on to be parsed, it is freed. And that’s it. No one sets the dangling pointer to NULL.”

This means that a malicious RDP server could send an out-of-order message fragment that uses the previously freed wStream object, effectively creating a use-after-free vulnerability that can in turn be used for arbitrary read and arbitrary write exploits.

“By using vulnerabilities CVE-2020-9497 and CVE-2020-9498, we managed to implement our arbitrary read and arbitrary write exploit primitives,” Itkin said. “Using these two powerful primitives, we successfully implemented an RCE exploit in which a malicious corporate computer (our RDP ‘server’) can take control of the guacd process when a remote user requests to connect to his (infected) computer.”

That guacd process only handles a single connection and runs with low privileges – so Check Point looked for a path to privilege escalation that would allow the takeover for the entire gateway.

After a client is successfully authenticated, the guacamole-client initiates a Guacamole Protocol session with the guacamole-server to create a matching session for the client. This is done by connecting to the guacamole-server on TCP port 4822 (by default) on which the guacd process is listening. The communication on this port uses no authentication or encryption (SSL could be enabled, but it isn’t the default). After the session is created, the guacamole-client only relays information back and forth between the guacamole-server and the client’s browser.

A vulnerability in the guacd executable allows access to full memory layout – useful for bypassing Address Space Layout Randomization (ASLR) computer security – and full memory content.

By using all of these weaknesses, Itkin said that Check Point researchers were able to take full control of a test Guacamole gateway, intercepting all information that flows through it.

It’s worth noting that the infrastructure is also vulnerable to existing bugs in FreeRDP, a free implementation of the RDP, released under the Apache license.

“In our previous research…we found several critical vulnerabilities in this RDP client which exposed it to attack from a malicious RDP ‘server,'” according to the researcher. “In other words, a malicious corporate computer can take control of an unsuspecting FreeRDP client that connects to it….By looking at the released versions of Apache Guacamole, we can see that only version 1.1.0, released at the end of January 2020, added support for the latest FreeRDP version (2.0.0). Knowing that our vulnerabilities in FreeRDP were only patched on version 2.0.0-rc4, this means that all versions that were released before January 2020 are using vulnerable versions of FreeRDP.”

Apache fixed all of these issues with the release of version 1.2.02 on June 28.

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.

Suggested articles