Reverse RDP Attack Also Enables Guest-to-Host Escape in Microsoft Hyper-V
Remember the Reverse RDP Attack?Earlier this year, researchers disclosed clipboard hijacking and path-traversal issues in Microsoft's Windows built-in RDP client that could allow a malicious RDP server to compromise a client computer, reversely.(You can find details and a video demonstration for this security vulnerability, along with dozens of critical flaws in other third-party RDP clients, in a previous article written by Swati Khandelwal for The Hacker News.)At the time when researchers responsibly reported this path-traversal issue to Microsoft, in October 2018, the company acknowledged the issue, also known as "Poisoned RDP vulnerability," but decided not to address it. Now, it turns out that Microsoft silently patched this vulnerability (CVE-2019-0887) just last month as part of its July Patch Tuesday updates after Eyal Itkin, security researcher at CheckPoint, found the same issue affecting Microsoft's Hyper-V technology as well.Microsoft's Hyper-V is a virtualization technology that comes built-in with Windows operating system, enabling users to run multiple operating systems at the same time as virtual machines. Microsoft's Azure cloud service also uses Hyper-V for server virtualization. Similar to other virtualization technologies, Hyper-V also comes with a graphical user interface that allows users to manage their local and remote virtual machines (VMs). According to a report CheckPoint researchers shared with The Hacker News, the Enhanced Session Mode in Microsoft's Hyper-V Manager, behind the scenes, uses the same implementation as of Windows Remote Desktop Services to let the host machine connect to a guest virtual machine and share synchronized resources like clipboard data. "It turns out that RDP is used behind the scenes as the control plane for Hyper-V. Instead of re-implementing screen-sharing, remote keyboard, and a synchronized clipboard, Microsoft decided that all of these features are already implemented as part of RDP, so why not use it in this case as well?" researchers say. This means, Hyper-V Manager eventually inherits all of the security vulnerabilities reside in Windows RDP, including the clipboard hijacking and path-traversal vulnerabilities that could lead to guest-to-host VM escape attack, "effectively allowing one to break out of a Virtual Machine and reach the hosting machine, virtually breaking the strongest security mitigation provided by the virtualization environment." As demonstrated previously, the flaws could allow a malicious or a compromised guest machine to trick the host user into unknowingly saving a malicious file in his/her Windows startup folder, which will automatically get executed every time the system boots. "A malicious RDP server can send a crafted file transfer clipboard content that will cause a Path-Traversal on the client's machine," researchers explain. Unlike previously, this time, Microsoft decided to patch the vulnerability immediately after the researchers disclosed the Hyper-V implications of this flaw, which is now identified as CVE-2019-0887. "The shared clipboard allows a user to copy a group of files from one computer and paste the said files in another computer. If the client fails to properly canonicalize and sanitize the file paths it receives, it could be vulnerable to a path traversal attack, allowing a malicious RDP server to drop arbitrary files in arbitrary paths on the client machine," Microsoft said while explaining the vulnerability in its latest blog post. "An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights." The researchers tested and confirmed the patch for the Path-Traversal vulnerability and strongly recommended all users to install the security patch in an attempt to protect their RDP connections as well as their Hyper-V environment.
- Zugriffe: 19