Security researchers analysing Remote Desktop clients for the popular remote desktop protocol, used to connect to non-local Windows machines, have unearthed multiple vulnerabilites
Check Point analysed the FreeRDP and rdesktop (the default client for the Kali Linux penetration testing distribution) remote access tools, along with Microsoft's mstsc.exe that comes with Windows.
In total, the research unearthed a total of 25 vulnerabilities spread among the three clients, 16 of which were rated as major.
The proprietary RDP was developed by Microsoft and the Check Point researchers said it is complicated and prone to vulnerabilties.
Perhaps due to its long experience with RDP, Microsoft came out relatively well in the analysis.
The researchers lauded the IT giant's code as being "better by several orders of magnitude" than open source alternatives and noted its RDP client had robust input and decompression checks.
Microsoft's RDP client also checked for integer overflows when processing bitmap updates, something both FreeRDP and rdesktop failed to do properly.
Whereas flaws in rdesktop version 1.8.3 opened up the possibility of remote code execution in ten cases, and five such vulnerabilities were found in FreeRDP, Check Point were only able to discover a path traversal issue over the shared RDP clipboard in Microsoft's client.
"If a client uses the “Copy & Paste” feature over an RDP connection, a malicious RDP server can transparently drop arbitrary files to arbitrary file locations on the client’s computer, limited only by the permissions of the client.
For example, we can drop malicious scripts to the client’s “Startup” folder, and after a reboot they will be executed on his computer, giving us full control," the researchers wrote.
They built a proof of concept attack and reported the issue to Microsoft.
Microsoft acknowledged the researchers findings, but said the vulnerability does not meet the company's bar for servicing. Therefore, no patch will be developed to address the vulnerability.
Check Point recommends that users mitigate against the vulnerability in the Microsoft client by disabling bi-directional clipboard sharing over RDP.
Users should also avoid connecting to RDP servers that have not implemented sufficient security measures, the researchers advised.
The developers of the open source RDP clients were notified by Check Point. FreeRDP patched against the vulnerabilities in version 2.0.0-rc4 that was released on November 20 2018, and rdesktop commited fixes for flaws found in version 1.8.4 on January 16 this year.