Earlier this year, researchers disclosed[1]
clipboard hijacking and path-traversal issues in Microsoft’s
Windows built-in RDP client that could allow a malicious RDP server
to compromise a client computer, reversely.
(You can find details and a video demonstration for this
security vulnerability, along with dozens of critical flaws in
other third-party RDP clients, in a previous
article[2] written by Swati
Khandelwal for The Hacker News.)
At the time when researchers responsibly reported this
path-traversal issue to Microsoft, in October 2018, the company
acknowledged the issue but decided not to address it.
Now, it turns out that Microsoft silently patched this
vulnerability[3] (CVE-2019-0887)
just last month as part of its July Patch Tuesday updates after
Eyal Itkin, security researcher at CheckPoint, found the same issue
affecting Microsoft’s Hyper-V technology as well.
Microsoft’s Hyper-V is a virtualization technology that comes
built-in with Windows operating system, enabling users to run
multiple operating systems at the same time as virtual machines.
Microsoft’s Azure cloud service also uses Hyper-V for server
virtualization.
with a graphical user interface that allows users to manage their
local and remote virtual machines (VMs). According to a report[4] CheckPoint researchers
shared with The Hacker News, the Enhanced Session Mode in
Microsoft’s Hyper-V Manager, behind the scenes, uses the same
implementation as of Windows Remote Desktop Services to let the
host machine connect to a guest virtual machine and share
synchronized resources like clipboard data.
“It turns out that RDP is used behind the scenes as the control
plane for Hyper-V. Instead of re-implementing screen-sharing,
remote keyboard, and a synchronized clipboard, Microsoft decided
that all of these features are already implemented as part of RDP,
so why not use it in this case as well?” researchers say.
vulnerabilities reside in Windows RDP, including the clipboard
hijacking and path-traversal vulnerabilities that could lead to
guest-to-host VM escape attack, “effectively allowing one to break
out of a Virtual Machine and reach the hosting machine, virtually
breaking the strongest security mitigation provided by the
virtualization environment.”
As demonstrated previously, the flaws could allow a malicious or a
compromised guest machine to trick the host user into unknowingly
saving a malicious file in his/her Windows startup folder, which
will automatically get executed every time the system boots.
“A malicious RDP server can send a crafted file transfer clipboard
content that will cause a Path-Traversal on the client’s machine,”
researchers explain.
vulnerability immediately after the researchers disclosed the
Hyper-V implications of this flaw, which is now identified as
CVE-2019-0887.
“A remote code execution vulnerability exists in Remote Desktop
Services – formerly known as Terminal Services – when an
authenticated attacker abuses clipboard redirection,” Microsoft
said while explaining the vulnerability in its security advisory.
“An attacker who successfully exploited this vulnerability could
execute arbitrary code on the victim system. An attacker could then
install programs; view, change, or delete data; or create new
accounts with full user rights.”
Path-Traversal vulnerability and strongly recommended all users to
install the security patch in an attempt to protect their RDP
connections as well as their Hyper-V environment.
References
- ^
disclosed
(thehackernews.com) - ^
previous article
(thehackernews.com) - ^
patched this vulnerability
(portal.msrc.microsoft.com) - ^
report
(research.checkpoint.com)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/-opb7UBpLoY/reverse-rdp-windows-hyper-v.html