Remember the Reverse RDP Attack—wherein a client system vulnerable to a path traversal vulnerability could get compromised when remotely accessing a server over Microsoft’s Remote Desktop Protocol?
Though Microsoft had patched the vulnerability (CVE-2019-0887) as part of its July 2019 Patch Tuesday update, it turns out researchers were able to bypass the patch just by replacing the backward slashes in paths with forward slashes.
Microsoft acknowledged the improper fix and re-patched the flaw in its February 2020 Patch Tuesday update earlier this year, now tracked as CVE-2020-0655.
In the latest report shared with The Hacker News, Check Point researcher disclosed that Microsoft addressed the issue by adding a separate workaround in Windows while leaving the root of the bypass issue, an API function “PathCchCanonicalize,” unchanged.
Apparently, the workaround works fine for the built-in RDP client in Windows operating systems, but the patch is not fool-proof enough to protect other third-party RDP clients against the same attack that relies on the vulnerable sanitization function developed by Microsoft.
“We found that not only can an attacker bypass Microsoft’s patch, but they can bypass any canonicalization check that was done according to Microsoft’s best practices,” Check Point researcher Eyal Itkin said in a report shared with The Hacker News.
For those unaware, path traversal attacks occur when a program that accepts a file as input fails to verify it, allowing an attacker to save the file in any chosen location on the target system, and thus exposing the contents of files outside of the root directory of the application.
“A remote malware-infected computer could take over any client that tries to connect to it. For example, if an IT staff member tried to connect to a remote corporate computer that was infected by malware, the malware would be able to attack the IT staff member’s computer as well,” the researchers described.
Here’s a demonstration video on the original vulnerability from the last year:
An Improperly Patched Path Traversal Flaw
According to researchers, the July patch can be bypassed because of a problem that lies in its path canonicalization function “PathCchCanonicalize,” which is used to sanitize file paths, thus allowing a bad actor to exploit the clipboard synchronization between a client and a server to drop arbitrary files in arbitrary paths on the client machine.
In other words, when using the clipboard redirection feature while connected to a compromised RDP server, the server can use the shared RDP clipboard to send files to the client’s computer and achieve remote code execution.
Although Check Point researchers originally confirmed that “the fix matches our initial expectations,” it appears there’s more to it than meets the eye: the patch can be simply bypassed by replacing backward slashes (e.g., file\to\location) in paths with forward slashes (e.g., file/to/location), which traditionally act as path separators in Unix-based systems.
“It seems that PathCchCanonicalize, the function that is mentioned in Windows’s best practice guide on how to canonicalize a hostile path, ignored the forward-slash characters,” Itkin said. “We verified this behavior by reverse-engineering Microsoft’s implementation of the function, seeing that it splits the path to parts by searching only for ‘\’ and ignoring ‘/.'”
The cybersecurity firm said it found the flaw when trying to examine Microsoft’s Remote Desktop client for Mac, an RDP client that was left out from their initial analysis last year. Interestingly, the macOS RDP client in itself isn’t vulnerable to CVE-2019-0887.
With the main vulnerability still not rectified, Check Point cautioned that the implications of a simple bypass to a core Windows path sanitation function pose a serious risk to many other software products that could potentially be affected.
“Microsoft neglected to fix the vulnerability in their official API, and so all programs that were written according to Microsoft’s best practices will still be vulnerable to a Path-Traversal attack,” Check Point’s Omri Herscovici said. “We want developers to be aware of this threat so that they could go over their programs and manually apply a patch against it.”