According to security officer Eyal Itkin, his experience of discovering RDP vulnerabilities was revealed at the recently concluded Black Hat conference. The researchers submitted a report of Remote Desktop Protocol (RDP) vulnerability to Microsoft in last October. Back then, Microsoft didn’t take it seriously until Microsoft noticed that the vulnerability jeopardized Hyper-V and applied for the CVE-ID vulnerability number. The vulnerability was fixed in July this year.
RDP is a proprietary protocol developed by Microsoft that allows users or IT staff to connect to remote computers. In addition to Windows users, Linux and macOS users also use many open source RDP clients.
Commonly, RDP uses client programs to link the RDP server installed on the remote computer to access and control the remote computer. It also provides compressed video streaming, scrapbook sharing and other functions. Meanwhile, Itkin found many vulnerabilities on the scrapbook sharing function of RDP client program (mstsc.exe). One of vulnerabilities allows users to copy a set of files to another computer, which is equivalent to allowing the RDP server to put arbitrary files on users’ computer, such as placing a malicious script in the client’s Startup folder. The malicious script will be executed as soon as the device is restarted, and the hacker will be able to take control of the computer.
Itkin reported the vulnerability to Microsoft last October. Microsoft responded in December of the same year, acknowledging that this Path Traversal vulnerability is effective, but it did not meet Microsoft’s maintenance threshold. So they would not apply vulnerability number and did not intend to fix it.
Hence, Itkin published an article about this RDP vulnerability in February this year, which attracted a lot of feedback. Some developers asked if the vulnerability would affect Hyper-V based on the same protocol, and demanded Itkin conduct further research.
Hyper-V is a virtualization technology developed by Microsoft. It is applied to Azure Cloud and is a virtualization product on Windows 10. It has an image user interface which enables users to manage local or remote virtual machines.
Hyper-V has an Enhanced Sessions mode. When the mode is enabled, it is able to redirect devices and resources on the local side. At the same time, it has the scrapbook synchronization feature. Itkin found that the setup interface for this synchronization function is identical to RDP and can be used with the same script. However, this is a Hyper-V guest-to-host virtual machine escape caused by RDP vulnerabilities.
In this way, for hyper-v administrators who rely on other software libraries, it inherits all security vulnerabilities in the used libraries. Itkin reported this discovery to Microsoft again, this time Microsoft cautiously patched this security hole numbered CVE-2019-0887 in July.
Microsoft also considers this incident as a research case and thanks for Itkin’s assistance. In addition to the fix of the operating system, they will also pay more attention to the impact of system security vulnerabilities on the cloud environment.
Published by Emerson L. Sullivan & last updated on August 12, 2019 3:45 am