RIP, RDP... nearly: Security house Check Point punches holes in remote desktop tools

25 bugs, three Windows and Linux clients – endless pwnage

Security biz Check Point has found some 25 security vulnerabilities in three of the most popular remote desktop protocol (RDP) tools for Windows and Linux.

The infosec outfit tasked its bug-hunters with a manual code audit on Microsoft mstsc as well as the FreeRDP and rdesktop remote desktop utilities, and what they turned up was a glut of potentially serious flaws and security weaknesses.

Of the 25 CVE-listed vulnerabilities included in Check Point's report on its findings, 15 could be potentially exploited to achieve remote code execution. For what it's worth, Check Point focused its effort on attacks that flowed from the server to the client.

The idea of the study, Check Point said, was to look at the ways someone trying to connect to a machine, such as an admin or tech support staff, could actually be compromised by the box they wanted to remotely access.

"In a normal scenario, you use an RDP client, and connect to a remote RDP server that is installed on the remote computer. After a successful connection, you now have access to and control of the remote computer, according to the permissions of your user," Check Point's Eyal Itkin said.

"But if the scenario could be put in reverse? We wanted to investigate if the RDP server can attack and gain control over the computer of the connected RDP client."


As it turns out, there are more than a few ways the RDP server could be used to attack the remote user. The researchers found that many of the channels used to exchange data between the two points do not properly check for the length of packets being sent, potentially allowing the server to throw malformed packets at the client to trigger out-of-bounds read errors and integer overflows that would potentially set up remote code execution attacks.

Another particularly vulnerable point of attack was the way both the client and server shared data through a common clipboard. Because, again, the data traffic over this channel is not properly sanitized, the shared clipboard would allow for data path traversal attacks or information disclosure caused by the server peeking into the activity of the client's local clipboard.

A malicious RDP server can modify any clipboard content used by the client, worryingly, even if the client does not issue a "copy" operation inside the RDP window. "If you click 'paste' when an RDP connection is open, you are vulnerable to this kind of attack," noted Check Point's Itkin.

"For example, if you copy a file on your computer, the server can modify your (executable?) file / piggyback your copy to add additional files / path-traversal files using the previously shown PoC," it added.

In total, the manual source code review led to the assignment of 19 CVE-listed vulnerabilities in rdesktop, and six in FreeRDP. To secure yourself against exploitation: rdesktop is, we're told, fixed as of version 1.8.4, and FreeRDP as of version 2.0.0-rc4, so make sure you're running those builds or later.

Foggy Windows

The findings for Microsoft's closed-source RDP client were a bit more murky. Though Check Point found Windows RDP to be vulnerable to the above-mentioned clipboard issues, the security house said Redmond did not see it as serious enough to merit a CVE or security patch assignment.

HackLabs' Chris Gatford at his office in Manly, New South Wales (Image: Darren Pauli / The Register)

Stealing, scamming, bluffing: El Reg rides along with pen-testing 'red team hackers'


Regardless, what Check Point ultimately concluded was that there is nonetheless real potential for RDP to be abused by an attacker posing as a remote user or employee who might then compromise an admin simply by requesting an RDP service. It also mused that it could be used by criminals to fight back against malware researchers who use RDP to connect to virtual machines for analysis.

On a lighter note, Check Point also suggested that the bugs could allow for a bit of mischief between security teams.

"As rdesktop is the built-in client in Kali Linux, a Linux distro used by red teams for penetration testing, we thought of a 3rd (though probably not practical) attack scenario," Itkin's report stated. "Blue teams can install organizational honeypots and attack red teams that try to connect to them through the RDP protocol." ®

Other stories you might like

  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Symbiote Linux malware spotted – and infections are 'very hard to detect'
    Performing live forensics on hijacked machine may not turn anything up, warn researchers

    Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.

    Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.

    The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil. 

    Continue reading
  • EnemyBot malware adds enterprise flaws to exploit arsenal
    Fast-evolving botnet targets critical VMware, F5 BIG-IP bugs, we're told

    The botnet malware EnemyBot has added exploits to its arsenal, allowing it to infect and spread from enterprise-grade gear.

    What's worse, EnemyBot's core source code, minus its exploits, can be found on GitHub, so any miscreant can use the malware to start crafting their own outbreaks of this software nasty.

    The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining cryptocurrency. Securonix first wrote about EnemyBot in March.

    Continue reading
  • Chinese-sponsored gang Gallium upgrades to sneaky PingPull RAT
    Broadens targets from telecoms to finance and government orgs

    The Gallium group, believed to be a Chinese state-sponsored team, is going on the warpath with an upgraded remote access trojan (RAT) that threat hunters say is difficult to detect.

    The deployment of this "PingPull" RAT comes as the gang is broadening the types of organizations in its sights from telecommunications companies to financial services firms and government entities across Asia, Southeast Asia, Europe and Africa, according to researchers with Palo Alto Networks' Unit 42 threat intelligence group.

    The backdoor, once in a compromised system, comes in three variants, each of which can communicate with the command-and-control (C2) system in one of three protocols: ICMP, HTTPS and raw TCP. All three PingPull variants have the same functionality, but each creates a custom string of code that it sends to the C2 server, which will use the unique string to identify the compromised system.

    Continue reading
  • Clipminer rakes in $1.7m in crypto hijacking scam
    Crooks divert transactions to own wallets while running mining on the side

    A crew using malware that performs cryptomining and clipboard-hacking operations have made off with at least $1.7 million in stolen cryptocurrency.

    The malware, dubbed Trojan.Clipminer, leverages the compute power of compromised systems to mine for cryptocurrency as well as identify crypto-wallet addresses in clipboard text and replace it to redirect transactions, according to researchers with Symantec's Threat Intelligence Team.

    The first samples of the Windows malware appeared in January 2021 and began to accelerate in their spread the following month, the Symantec researchers wrote in a blog post this week. They also observed that there are several design similarities between Clipminer and KryptoCibule – another cryptomining trojan that, a few months before Clipminer hit the scene, was detected and written about by ESET analysts.

    Continue reading
  • To cut off all nearby phones with these Chinese chips, this is the bug to exploit
    Android patches incoming for NAS-ty memory overwrite flaw

    A critical flaw in the LTE firmware of the fourth-largest smartphone chip biz in the world could be exploited over the air to block people's communications and deny services.

    The vulnerability in the baseband – or radio modem – of UNISOC's chipset was found by folks at Check Point Research who were looking for ways the silicon could be used to remotely attack devices. It turns out the flaw doesn't just apply to lower-end smartphones but some smart TVs, too.

    Check Point found attackers could transmit a specially designed radio packet to a nearby device to crash the firmware, ending that equipment's cellular connectivity, at least, presumably until it's rebooted. This would be achieved by broadcasting non-access stratum (NAS) messages over the air that when picked up and processed by UNISOC's firmware would end in a heap memory overwrite.

    Continue reading

Biting the hand that feeds IT © 1998–2022