A DLL side-loading vulnerability related to the Microsoft Terminal Services Client (MSTSC) can be exploited to bypass security controls, but Microsoft says it will not be releasing a patch due to exploitation requiring elevated privileges.
MSTSC is a piece of software designed to allow Windows users to connect to a remote computer via the Remote Desktop Protocol (RDP).
Researchers at Cymulate, a breach and attack simulation platform provider, discovered that the MSTSC application loads a DLL file, mstscax.dll, without verifying its integrity. This allows an attacker who can replace the legitimate DLL to bypass security controls such as AppLocker, which is designed to help users control which apps and files can be run.
An attack can be launched by replacing the mstscax.dll file in the Windows/System32 folder with a malicious file with the same name. However, this requires administrator privileges, which is why Microsoft has decided not to patch the flaw.
Microsoft has pointed to a document where the company explains how it decides what type of DLL hijacking vulnerabilities get patched.
However, Cymulate has also described a post-exploitation attack scenario where the attacker does not require administrative privileges. For example, an unprivileged attacker with read permissions to a system directory can copy mstsc.exe to an insecure folder and place a malicious mstscax.dll next to it. The attacker can then run mstsc.exe, which will result in the malicious DLL being loaded in the context of the remote desktop client, allowing it to bypass various security controls.
In an attack scenario described by Cymulate for SecurityWeek, an attacker has low privileges on the targeted device and wishes to spawn a malicious Meterpreter reverse shell.
“The attacker attempts to execute the malicious shell, and security controls block the attempt,” the company explained. “The attacker copies mstsc.exe to an insecure directory, and places the malicious shell in place of mstscax.dll, and executes mstsc.exe. Due to mstsc.exe being a system binary, digitally signed by Microsoft, it is considered a trusted process by security controls. Mstsc.exe loads the malicious shell. At this point, malicious code is running under the context of mstsc.exe, efficiently bypassing security controls.”
The attack has been tested on Windows 10 and the cybersecurity firm believes it likely also works on other versions of the operating system.
The company told SecurityWeek that, depending on the malicious code being executed, an attacker could potentially exploit the flaw to elevate privileges. For that they would need to convince a user to execute the mstsc.exe file from the attacker’s folder with elevated privileges.
Cymulate believes organizations should be aware of this vulnerability as the DLL side-loading technique has been leveraged by several threat actors to deploy their malware, including by sophisticated groups such as APT32, APT41 and APT3.