Check Point experts identify RDP client vulnerabilities

Check Point specialists identified 25 vulnerabilities in popular RDP clients for Windows and Linux.

The researchers found that the RDP server can be used for a variety of attacks on a remote client. So, it turned out that in many cases the proper checking of packet lengths is not performed, which is why the server can send malicious packets to the client, causing out-of-bounds reading errors, overflowing integer values and preparing mail for RCE attacks on its side.

Another problem researchers call the use of a shared clipboard by the server and client. Since the traffic is not “cleared” properly, data that may be useful to an attacker to bypass the directory may be buffered, and may also be fraught with information leaks, as the server can “peep” at the client’s buffer. For example, the client copies the administrator password locally, and the server “recognizes” it too.

Also, the malicious server can modify any data in the buffer used by the client, even if the latter did not perform the “Copy” operation. Just click on "Insert" when the RDP connection is active and the client is already vulnerable to such an attack.

The greatest number of problems was found in rdesktop: 19 vulnerabilities, 11 of which are rated as “major”, can lead to the execution of arbitrary code or denial of service. As part of FreeRDP (one of the most popular and old RDP clients on GutHub), 6 vulnerabilities were discovered, 5 of which also have RCE and DoS potential.

As a result, the RPD client found in Windows was recognized as the most secure, however, it was not without problems here. The above-mentioned problem of using a common clipboard applies to this client, and this functionality is enabled by default.

Experts state with regret that although Microsoft representatives confirmed all the conclusions made by Check Point, the developers refused to recognize the detected problems as vulnerabilities and assign them a CVE identifier. In fact, Microsoft said that this is not a bug, but legitimate functionality, which means that no cost can be expected.

In turn, the developers of FreeRDP and rdesktop have already released updates for their products, correcting the gaps found by experts: versions v2.0.0-rc4 and 1.8.4, respectively.