Remote Desktop Protocol (RDP) pipes have a security bug that could allow any standard, unprivileged Joe-Schmoe user to access other connected users’ machines. If exploited, it could lead to data-privacy issues, lateral movement and privilege escalation, researchers warned.
Insider attackers could, for instance, view and modify other people’s clipboard data or impersonate other logged-in users using smart cards.
The vulnerability, tracked as CVE-2022-21893, wasn’t ballyhooed amid yesterday’s crowded mega-dump of Patch Tuesday security updates, but it’s more than worthy of scrutiny, according to a Tuesday report from CyberArk. The firm had discovered the bug lurking in Windows Remote Desktop Services.
What’s more, it’s a widespread issue. The bug dates back at least to Windows Server 2012 R2, CyberArk software architect and security champion Gabriel Sztejnworcel wrote, leading the firm to conclude that the latest versions of Windows – including client and server editions – are affected.
“We can say that the majority of Windows versions in use today are affected,” he confirmed.
It’s also easy to exploit. Microsoft said that an exploit of the vulnerability would be of low complexity. leading to a CVSS criticality rating of 7.7 out of 10, making it “important” in severity.
Understanding RDP’s Pipe Plumbing
Sztejnworcel’s writeup goes into great detail about how the attack works, but some basics on RDP plumbing include the fact that RDP splits a single connection into multiple logical connections called virtual channels for handling different types of data. Some channels are responsible for the core functionality of RDP, such as graphical and input data, and other channels handle protocol extensions, such as clipboard, drive and printer redirection.
“There is also an API for working with virtual channels which allows writing an application that communicates with RDP clients over custom virtual channels,” CyberArk explained, pointing to a blog post that spells out the basics of the RDP protocol.
The vulnerability involves the attack surface presented by named pipes, which are a common method for interprocess communication in Windows and which work in a client/server model.
Both sides specify the name of the pipe in the format: \\.\pipe\name (for the server or for a client that connects to a local named pipe); or, \\hostname\pipe\name (for a client that connects to a remote named pipe). Both the client and the server use the WriteFile and ReadFile functions to exchange data after the connection is established.
It’s common to have one server process that handles multiple clients by creating multiple pipe server instances, meaning that the server process will call CreateNamedPipe multiple times with the same pipe name, CyberArk explained.
“Each time it will get a new server instance,” according to the writeup. “When a client connects to a named pipe server, it connects to one instance. If there are multiple instances available, the client will connect to the one that was created first [FIFO, or first-in, first-out ordering].”
But because each call to CreateNamedPipe is independent, potentially malicious processes may create pipe server instances of the same name. “Combining this with the FIFO behavior, we can start to see how this can lead to several issues,” Sztejnworcel continued.
A process can create pipe-server instances with the name of an existing pipe server, if the security descriptor of the first instance allows it, he said. And, in fact, that’s what the TSVCPIPE security descriptor does: It “allows any user to create pipe server instances of the same name,” he said, while the data is sent over the pipes “in clear text and without any integrity checks.”
The Attack
With that background in mind, CyberArk outlined this basic attack:
- An attacker connects to a remote machine via RDP
- The attacker lists the open named pipes and finds the full name of the TSVCPIPE pipe
- The attacker creates a pipe server instance with the same name and waits for a new connection
- Once a new connection arrives, RDS creates its own pipe server instance for the session and a pipe client that will attempt to connect to it
- Because of the FIFO, the pipe client will connect to the attacker pipe server instance instead of the one created by the RDS service
- The attacker connects as a client to the real RDS pipe server instance
- The attacker holds both ends of the connection; they can act as man-in-the-middle (MitM), passing the data back and forth, viewing and (optionally) modifying it
CyberArk pulled together those steps to create a MitM attack, demonstrated in a video in its report, that prints the data passing through the pipes. As the video shows, the researchers were able to see clipboard data that could have comprised images, files or text that might contain personal data or sensitive data such as passwords, “which is often the case in RDP sessions,” Sztejnworcel said.
Accessing Other Users’ Redirected Drives, Smart Cards
But where’s the fun in printing out just raw data? CyberArk said that combing through all of the info produced by its initial exploit tool was “tedious and impractical,” so the researchers decided to target the device redirection channel (RDPDR): one of several other channels that use these pipes, each of which has its own protocol.
Of note: RDPDR itself was one of the tools used to exploit an earlier Windows RDP vulnerability, CVE-2019-0708, which is the wormable Microsoft BlueKeep flaw that left a million devices vulnerable to a WannaCry-like cyberattack in 2019.
“The RDPDR channel is used for redirecting devices such as drives and smart cards from the client machine to the remote session,” CyberArk explained. “If a user connects using a smart card (or just redirects their smart card to use it from within the session), the attacker could also take over the user’s smart card and use it as if it were connected to their machine.”
The writeup continued: “When the victim enters their smart-card PIN number, an IO control request is sent to the smart card over the channel with the PIN number in clear text, so the attacker can see it. The attacker can now connect to any resource, on the same machine or on other machines, using the victim’s smart card and PIN number, effectively impersonating the victim’s security context. In case the victim logs in with a privileged account, this leads to privilege escalation.”
RDP attacks are as old as dirt, but this new vulnerability adds a twist, showing “an example of an unconventional attack vector targeting RDP. Instead of tapping into the input side of the server/client as one usually does, we abused the RDP server internal mechanism as an entry point,” the report summed up.
While CyberArk researchers chose to focus on drive and smart-card redirection, they said that they believe that the same technique would work with other types of devices, protocols and channels, such as printers, audio, USB devices and authentication redirection (via Remote Credential Guard).
They’re “strongly” recommending applying the patch Microsoft issued on Tuesday, given that “almost all Windows versions are affected.” They also suggested that developers of applications that use custom virtual channels “should check whether they are vulnerable and conduct their own security assessment.”
A New Way to Shoot the Old RDP Sitting Duck
Last July, writing for Threatpost, experts with Kroll’s Cyber Risk practice took a look at the complexities of setting up RDP for remote work, noting that the protocol itself “is not a secure setup” and therefore requires “additional security measures to keep workstations and servers protected.”
They said that without proper security protocols, “organizations face several potential risks, including the increased risk of cyberattacks.”
Matt Dunn, Kroll associate managing director, wrote that the typical targets of RDP attacks “tend to be small businesses, because they often lack the resources needed to protect against and respond to these threats.”
Cybercrooks like to target RDP vulnerabilities for a number of reasons, with the most common objectives including distributed denial of service (DDoS) attacks and ransomware delivery.
As remote work has surged, cybercriminals have taken note of the increased adoption of RDP – not hard to do, given that a simple Shodan search reveals thousands of vulnerable servers reachable via the internet, along with millions of exposed RDP ports. In fact, between Q1 and Q4 2020, attacks against RDP surged by 768 percent, Dunn noted, while an October 2020 report published by Kroll identified that 47 percent of ransomware attacks were preceded by RDP compromise.
Bud Broomhead, CEO at Viakoo, observed that RDP vulnerabilities “enable some of the worst cyber-criminal activities, including planting of deepfakes, data exfiltration, and spoofing of identity and credentials.”
He told Threatpost on Wednesday that while RDP is required for normal system maintenance, it can’t be left to run on its lonesome. “Additional defenses like establishing a zero-trust framework and having an automated method of quickly implementing firmware fixes are needed to ensure RDP is used safely,” he said via email.
CyberArk’s finding of the RDP vulnerability underscores “an important operating reality,” according to Tim Wade, technical director for the CTO team at Vectra. Namely, as he succinctly told Threatpost on Wednesday, “sharing memory and compute with an adversary is an extremely risky business!”
Photo courtesy of PxHere.
Password Reset: On-Demand Event: Fortify 2022 with a password security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & Stream this FREE session today – sponsored by Specops Software.