Reverse Microsoft RDP Attack: the Path not Taken

Omri Herscovici, Vulnerability Research Team Leader at Check Point Software Technologies

Security researchers at Check Point identified a vulnerability in the core Window’s function protecting against an attack type known as Path-Traversal. The technical name of that core function is “PathCchCanonicalize”, and it stands as the official API that Windows recommends to developers for defence against Path-Traversal attacks. The research team was able to bypass the official API of Windows protecting against “Path-Traversal Attacks”, an attack type that allows hackers to access and modify restricted files.

What is a Path-Traversal Attack?

Path Traversal refers to an attack through which an attacker tricks an application into reading and subsequently divulging the contents of files outside of the document root directory of the application or the web server. In other words, a Path-Traversal attack happens when a program receives a file name as an input and fails to verify it, allowing an attacker to save his file in every chosen directory on your computer, instead of it being saved in the intended directory for it, or reading files he doesn’t supposed to have access to. It gives the attacker the ability to “traverse” the directories on the servers’ computers.

Typically, Path Traversal attacks are used to gain access to sensitive information stored within arbitrary files in other areas of an application or in other parts of the file system that the web server can read. Using this technique, attackers can modify critical files such as programs or libraries, download password files, expose source code of the web application, or execute powerful commands on the web server, which can lead to complete compromise of the web server.

How Researchers Discovered the Vulnerability

At Black Hat 2019, Check Point researchers disclosed vulnerabilities in Microsoft’s Remote Desktop Protocol (RDP). Microsoft RDP provides remote display and input capabilities over network connections for Windows-based applications running on a server. It is this technology that allows someone to connect to a remote computer and to work on it just like it’s their own computer. Researchers proved that a remote, malware-infected computer could take over any client that tries to connect to it. For example, if an IT staff member tried to connect to a remote corporate computer that was infected by malware, the malware would be able to attack the IT staff member’s computer as well. Check Point researchers called this attack vector “Reverse RDP”, because a user of RDP thinks they are controlling a computer remotely, but the flaw proves the that reverse is opposite.

Microsoft quickly issued a patch for the Reverse RDP attack vector. In October 2019, Check Point researchers discovered that Microsoft’s patch (CVE-2019-0887) for the vulnerability disclosed at Black Hat 2019 had security flaws, enabling researchers to move past the fix and recreate the original exploit. Researchers learned that Microsoft used “PathCchCanonicalize” in their patch to the original RDP flaw, leading  Check Point researchers to conclude that there is something wrong in the official API function “PathCchCanonicalize”.

Responsible Disclosure

Check Point researchers disclosed their findings to Microsoft. Microsoft issued a new patch (CVE 2020-0655) for the reverse RDP vulnerability flaw in February 2020.  However, although RDP is patched correctly, all of the other programs that used Microsoft sanitation function (PathCchCanonicalize) are vulnerable to the same attack. Check Point has contacted Microsoft with its latest findings alongside the expected publication date of this research blog.

This site uses Akismet to reduce spam. Learn how your comment data is processed.