Think of the Reverse RDP attack – where a client system vulnerable to path-bypass vulnerability can be compromised when accessing the server remotely via the Microsoft Remote Desktop protocol?
Although Microsoft determined the vulnerability (CVE-2019-0887) in its July 2019 update on Tuesday, it appeared that researchers were able to work around the patch by simply replacing backslashes with slashes on the front.
Microsoft recognized the unsuitable patch and corrected the error in its February 2020 update earlier this year, which is now traceable as CVE-2020-0655.
In the latest report from The Hacker News, the Check Point investigator said Microsoft solved the problem by adding a separate workaround to Windows, leaving the root of the workaround, the PathCchCanonicalize API, unchanged.
Clearly, the built-in RDP client workaround works well in Windows operating systems, but the patch is not secure enough to protect other third-party RDP clients from the same attack, based on Microsoft’s vulnerability fumigation feature.
We discovered that an attacker can not only bypass a Microsoft patch, but can also bypass any canonization check performed according to Microsoft best practices, says Check Point investigator Eyal Itkin in a report published in Hacker News.
For those who don’t know: Path bypass attacks occur when the program receiving the file does not check it. This allows the attacker to store the file in any selected location on the target system, exposing the content of the files outside the application’s root directory.
A remote computer infected with malware can take control of any client trying to connect. For example, if an IT employee tries to connect to an external company computer that has been infected with malware, the malicious code may also attack the IT employee’s computer, as described by the investigators.
There were gaps last year, and later studies in August showed that they also affected Microsoft’s Hyper-V hardware virtualization platform.
Here is a demonstration video of last year’s original vulnerability:
Trackerror incorrectly corrected
According to the investigators, the July patch can be bypassed because of a problem with its PathCchCanonicalize feature, which is used to disinfect file paths and allows an attacker to use client-server clipboard synchronization to reset random files on the client computer.
In other words, if the clipboard is used when connecting to a compromised RDP server, the server can use the shared RDP clipboard to send files to the client computer and execute code remotely.
Although the gate researchers initially confirmed that the engagement was in line with our initial expectations, this seems to be more than it seems at first glance: A patch can easily be bypassed by replacing backslashes (e.g. phylolocution) in paths with straight slashes (e.g. file/k/location), which traditionally serve as path separators in Unix systems.
It seems that PathCchCanonicalize, a feature mentioned in the Windows best practices guide for canonizing the enemy path, has already previously ignored the slash, Itkin said. We verified this behavior by reverse engineering a Microsoft function implementation, discovering that it cuts the path to pieces, only searches and ignores.
The cyber security company said it found an error in its attempt to investigate the Microsoft Remote Desktop for Mac client, an RDP client that was excluded from its initial analysis last year. It is interesting to note that the macOS RDP client itself is not vulnerable to CVE-2019-0887.
Since the main vulnerability is still unresolved, Check Point warned that the consequences of simply bypassing the main Windows path cleaning feature poses serious risks to many other software that may be affected.
Microsoft has failed to fix the vulnerability in its official API, so all programs written according to Microsoft’s best practices are still vulnerable to attacks such as path crossing, said Omri Herscovici of Check Point. We want developers to be aware of this threat so that they can view their programs and patch them manually.