Earlier this year, I reached out to Check Point researcher Eyal Itkin, who had published multiple flaws in several Remote Desktop Protocol (RDP) clients, including a vulnerability in mstsc.exe, the built-in RDP client application in Windows. While there were no active exploits detected in the wild, it was important for me and my team at Microsoft to analyze the vulnerability, do further variant analysis and investigations, and build defenses, including cloud-based post-breach detection in addition to the operating system fix.
The cross-company collaboration that followed was especially critical in this case, because the attack technique is quite tricky to detect. The vulnerability exists in the shared clipboard mechanism. Unlike other RDP vulnerabilities that could allow an attacker to connect to target machines using the RDP protocol, in this case, an attacker would wait for a user to connect to a compromised machine, and then start the attack through the vulnerability. RDP anomaly detection wouldn’t be useful, because exploit behavior doesn’t stand out as unusual.
The vulnerability, called Poisoned RDP vulnerability and designated as CVE-2019-0887, has been fixed, but it serves as a good case study for industry collaboration leading to better and speedier response to security issues. In this blog, we’ll share an overview of the vulnerability and how we worked with Check Point to build the defenses using Windows telemetry.
Path traversal vulnerability in shared clipboard
A typical RDP scenario is connecting an RDP client to an RDP server installed on a remote computer. After successfully connecting, the client gains access to the remote server. Depending on the user’s permissions, the client can then control the server. What happens if it’s the other way around, where a remote server can attack and gain control of a client?
In his research into reverse RDP attacks, Eyal Itkin found that for mstsc.exe, this technique, also referred to as lazy lateral movement, was possible through the clipboard sharing channel. The shared clipboard allows a user to copy a group of files from one computer and paste the said files in another computer. If the client fails to properly canonicalize and sanitize the file paths it receives, it could be vulnerable to a path traversal attack, allowing a malicious RDP server to drop arbitrary files in arbitrary paths on the client machine.
Figure 1. Architecture of clipboard sharing in Microsoft RDP (source: Reverse RDP Attack: Code Execution on RDP Clients)
Moreover, every time a clipboard is updated on either side of the RDP connection, a message is sent to the other side to notify it about the new clipboard formats that are now available. This means that a malicious server is notified whenever the client copies something to the clipboard, which the server can then query and read.
The server can also notify the client about a fake clipboard update without an actual copy operation inside the RDP window, thus completely controlling the client’s clipboard without the user being noticed.
Eyal also found that, because Hyper-V uses RDP, it inherits the security vulnerabilities in RDP. Hyper-V uses RDP behind the scenes for managing the VM, meaning that the vulnerability could be used to escape a Hyper-V VM, resulting in a guest-to-host sandbox escape vulnerability.
Cloud-based post-breach detection
While we worked on fixing the vulnerability, it was important for us to develop a post-breach detection in order to protect customers from attacks that might exploit the vulnerability. For this effort, we worked closely with Eyal, whose cooperation was critical to the development of these solutions.
Given the details of the vulnerability, we worked under the following conditions:
- To be effective, the detections would need to use existing optics available to all Windows 10 versions.
- The detection logic should spot the threat from the machine where the RDP client—the one that initiates the RDP connection—is installed. We should be able to detect files that are transformed from the compromised machine—where the RDP server is installed—to the client machine. This means that we must rely solely on telemetry that is triggered on the client machine.
- RDP anomaly detection is not useful in this scenario. Since the RDP connection is initiated by the client machine—more specifically, by the user—we don’t expect an abnormal connection to occur.
For this purpose, Event Tracing for Windows (ETW), a built-in Windows 10 feature, provides the kernel-level tracing that’s useful in detecting this threat. Using ETW events, specifically RDP connection events (provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS) and clipboard events (provider: Microsoft.Windows.OLE.Clipboard), as well as file creation events, we created a detection logic that:
- Observes RDP session events
- Observes multiple files being pasted within a short period of time
- Correlates file creation and pasting timestamps
- Raises an alert if the corelated files are in different directories
These detections are added to the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) endpoint detection and response. These detections raise an alert in Microsoft Defender Security Center, which security operations personnel can then use to investigate attacks.
In addition, given that this is a new attack scenario, we explored additional detection logic that is as general as possible to help counter corner cases and account for tweaks to the attack scenario. These detections would cover the end-to-end attack, focusing on behaviors pertinent to the attack scenario:
- Monitoring the Startup folder. This includes anomaly detection for file creation events under the Startup folder using multiple features like file signature, creation process, etc. In addition, files created in the Startup folder can be verified using scanning capabilities.
- Identifying anomalous file pasting from the clipboard. Machine learning-based detections can recognize files that are pasted in different locations within a short period of time. The anomaly features can be the number of pasted files or file directories.
- Detecting file creation anomalies. Machine-learning based detections can recognize anomalies in file creation paths. The anomaly features can be file path, creation time, and file name. Note: This detection covers a broad scenario, regardless of method.
Microsoft Security Response Center (MSRC) worked with Check Point to further investigate and address the vulnerability. The fix for CVE-2019-0887 was released as part of the July 2019 security update. We encourage customers to keep systems up-to-date.
Conclusion: Lessons from CVE-2019-0887
The responsible disclosure of CVE-2019-0887 by Check Point and the subsequent collaboration with Microsoft teaches us several lessons in security. From design perspective, there’s a lesson to be learned from how the clipboard, which was originally designed to be used locally, was applied in new environments.
Meanwhile, our research into post-breach defenses given the unique characteristics of this attack scenario highlighted the importance of Windows telemetry in detecting malicious behavior. ETW is a powerful defender tool that allows the creation of new detection mechanisms that don’t require an OS update.
Overall, this cross-company, cross-continent teamwork demonstrates the benefits of industry collaboration. We discovered a vulnerability, secured customers, and developed fix, all while learning important lessons that we can share with the industry.
Eyal and I shared these lessons in our Black Hat USA 2019 session, “He Said, She Said – Poisoned RDP Offense and Defense”.
Dana Baril (@dana_baril)
Microsoft Defender ATP Research Team
Talk to us
Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.
Follow us on Twitter @MsftSecIntel.