Reverse RDP Attack Also Enables Guest-to-Host Escape in Microsoft Hyper-V


Remember the reverse RDP attack?

Earlier this year, researchers disclosed clipboard hijacking and path-traversal issues in Microsoft’s Windows built-in RDP client that could allow a malicious RDP server to compromise a client computer, reversely.

(You can find details and a video demonstration for this security vulnerability, along with dozens of critical flaws in other third-party RDP clients, in a previous article written by Swati Khandelwal for The Hacker News.)

At the time when researchers responsibly reported this path-traversal issue to Microsoft, in October 2018, the company acknowledged the issue but decided not to address it.

Now, it turns out that Microsoft silently patched this vulnerability (CVE-2019-0887) just last month as part of its July Patch Tuesday updates after Eyal Itkin, security researcher at CheckPoint, found the same issue affecting Microsoft’s Hyper-V technology as well.

Microsoft’s Hyper-V is a virtualization technology that comes built-in with Windows operating system, enabling users to run multiple operating systems at the same time as virtual machines. Microsoft’s Azure cloud service also uses Hyper-V for server virtualization.

reverse rdp attack on windows hyper-v

Similar to other virtualization technologies, Hyper-V also comes with a graphical user interface that allows users to manage their local and remote virtual machines (VMs).

According to a report CheckPoint researchers shared with The Hacker News, the Enhanced Session Mode in Microsoft’s Hyper-V Manager, behind the scenes, uses the same implementation as of Windows Remote Desktop Services to let the host machine connect to a guest virtual machine and share synchronized resources like clipboard data.

“It turns out that RDP is used behind the scenes as the control plane for Hyper-V. Instead of re-implementing screen-sharing, remote keyboard, and a synchronized clipboard, Microsoft decided that all of these features are already implemented as part of RDP, so why not use it in this case as well?” researchers say.

This means, Hyper-V Manager eventually inherits all of the security vulnerabilities reside in Windows RDP, including the clipboard hijacking and path-traversal vulnerabilities that could lead to guest-to-host VM escape attack, “effectively allowing one to break out of a Virtual Machine and reach the hosting machine, virtually breaking the strongest security mitigation provided by the virtualization environment.”
As demonstrated previously, the flaws could allow a malicious or a compromised guest machine to trick the host user into unknowingly saving a malicious file in his/her Windows startup folder, which will automatically get executed every time the system boots.

“A malicious RDP server can send a crafted file transfer clipboard content that will cause a Path-Traversal on the client’s machine,” researchers explain.

Unlike previously, this time, Microsoft decided to patch the vulnerability immediately after the researchers disclosed the Hyper-V implications of this flaw, which is now identified as CVE-2019-0887.

“A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an authenticated attacker abuses clipboard redirection,” Microsoft said while explaining the vulnerability in its security advisory.

“An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The researchers tested and confirmed the patch for the Path-Traversal vulnerability and strongly recommended all users to install the security patch in an attempt to protect their RDP connections as well as their Hyper-V environment.

Products You May Like

Articles You May Like

Fake Android apps uploaded to Play store by notorious Sandworm hackers
Critical Flaw in GoAhead Web Server Could Affect Wide Range of IoT Devices
In “60 Minutes” appearance, YouTube’s CEO offers a master class in moral equivalency
Notorious spy tool taken down in global operation
SMS company exposes millions of text messages, credentials online

Leave a Reply

Your email address will not be published. Required fields are marked *