Remote Desktop through the eyes of an attacker
1. Introduction
Companies that did not have remote access systems deployed them urgently a couple of months ago. Not all administrators were ready for such a “heat” as a result of security flaws: incorrect configuration of services or even installation of outdated software versions with previously discovered vulnerabilities. One of these omissions has already returned as a boomerang, others are more fortunate, but the conclusions certainly should be made by everyone. Loyalty to remote work has increased many times, and more and more companies are accepting remote work as a valid format on an ongoing basis.
So, there are many options for providing remote access: various VPNs, RDS and VNC, TeamViewer and others. Administrators have plenty to choose from, based on the specifics of building a corporate network and devices in it. VPN solutions remain the most popular, however, many small companies choose RDS (Remote Desktop Services), they are easier and faster to deploy.
In this article, we’ll talk more about RDS security. We will briefly review known vulnerabilities, and also consider several scenarios for launching an attack on an Active Directory-based network infrastructure. We hope that our article will help someone to work on bugs and improve security.
2. Recent RDS / RDP Vulnerabilities
Any software contains bugs and vulnerabilities that are exploited by cybercriminals, and RDS is no exception. Recently, Microsoft often reported new vulnerabilities, we decided to give a brief overview of them:
This vulnerability compromises users connecting to a compromised server. An attacker can gain control of a user device or gain a foothold in the system in order to have constant remote access.
This group of vulnerabilities allows an unauthorized attacker to remotely execute arbitrary code on a server with RDS using a specially crafted request. They can also be used to create worms – malware that infects neighboring devices on a network on their own. Thus, these vulnerabilities can jeopardize the entire network of the company, and only timely updates will save them.
Remote access software has received increased attention from both researchers and attackers, so soon we will probably hear about new such vulnerabilities.
The good news is that public exploits are not available for all vulnerabilities. Bad – an expert attacker can easily write an exploit for vulnerability by description, or using such techniques as Patch Diffing (our colleagues wrote about it in the article). Therefore, we recommend that you regularly update the software and monitor the appearance of new messages about detected vulnerabilities.
3. Attacks
We move on to the second part of the article, where we show how attacks on a network infrastructure based on Active Directory begin.
The described methods are applicable for the following model of the intruder: an attacker with a user account and access to the Remote Desktop Gateway, a terminal server (it is often accessible, for example, from an external network). Using these methods, an attacker can continue to attack the infrastructure and consolidate his presence on the network.
The network configuration in each case may differ, but the described techniques are quite universal.
Examples of exiting a restricted environment and privilege escalation
When accessing the Remote Desktop Gateway, an attacker is likely to encounter some limited environment. When connected to a terminal server, an application is launched on it: a window for connecting via the Remote Desktop protocol for internal resources, Explorer, office suites, or any other software.
The goal of the attacker is to gain access to the execution of commands, that is, to run cmd or powershell. Several classic sandbox escape techniques for Windows can help. Let’s consider them further.
Option 1. An attacker has access to the Remote Desktop connection window within the Remote Desktop Gateway:
The “Show Options” menu is displayed. Options appear for manipulating connection configuration files:
From this window it is possible to freely enter Explorer by clicking any of the “Open” or “Save” buttons:
Explorer opens. Its “address bar” makes it possible to run permitted executable files, as well as listing the file system. This can be useful to the attacker in the case when the system drives are hidden and access to them is directly impossible:
A similar scenario can be reproduced, for example, when used as remote software Excel from Microsoft Office.
In addition, do not forget about the macros used in this office suite. Our colleagues addressed macro security in this article.
Option 2. Using the same input as in the previous version, the attacker starts several connections to the remote desktop under the same account. When reconnecting, the first one will be closed, and a window with an error notification will appear on the screen. The help button in this window will call Internet Explorer on the server, after which the attacker can go to Explorer.
Option 3. With configured restrictions on the execution of executable files, an attacker may encounter a situation where group policies prohibit the administrator from starting cmd.exe.
There is a way around this by running the bat file on a remote desktop with contents like cmd.exe / K <команда>. An error occurred while starting cmd and a successful example of executing a bat file is shown in the figure below.
Option 4. The prohibition of launching applications using blacklists by the name of executable files is not a panacea, they can be circumvented.
Consider the following scenario: we denied access to the command line, prevented the launch of Internet Explorer and PowerShell using group policies. The attacker is trying to call help – no response. Tries to start powershell through the context menu of the modal window, called with the Shift key pressed – message about the administrator preventing the launch. Trying to start powershell through the address bar – again no response. How to get around the restriction?
It is enough to copy powershell.exe from the folder C: Windows System32 WindowsPowerShell v1.0 to the user folder, change the name to something other than powershell.exe, and the launch option will appear.
By default, when connecting to the remote desktop, access to the client’s local disks is provided, from where the attacker can copy powershell.exe and run after renaming.
We have given only a few ways to circumvent restrictions; there are a lot more scripts that you can come up with, but all of them are united by the output in Windows Explorer. There are many applications that use standard Windows tools for working with files, and when you place them in a limited environment, you can use similar techniques.
4. Recommendations and conclusion
As we can see, even in a limited environment there is room for the development of an attack. However, it is possible to complicate the life of the attacker. We give general recommendations that will be useful both in the options considered by us, and in other cases.
- Limit the launch of programs to black / white lists using group policies.
However, in most cases, it remains possible to run the code. We recommend that you familiarize yourself with the project. Lolbasto have an idea of undocumented ways to manipulate files and execute code in the system.
We recommend combining both types of restrictions: for example, you can allow the execution of executable files signed by Microsoft, but limit the launch of cmd.exe. - Disable Internet Explorer settings tabs (can be done locally in the registry).
- Disable through regedit the call to Windows built-in help.
- Disable the ability to mount local drives for remote connections, if this limitation is not critical for users.
- Limit access to local disks of the remote machine, leave access only to user folders.
We hope you were at least interested, but at the most – this article will help make your company’s remote work safer.
