Security Insights: How to Get Hacked by a RDP Server
In today’s article, I would like to show you the downside of one feature in RDP (Remote Desktop) that not everyone knows about. The result is a compromised client computer or stolen data. We have prepared this “attack” in cooperation with Ondra Ševeček, who has then presented it at Hacker Fest 2018.
RDP (Remote Desktop) is used to remotely control computers/servers. That is your client PC controls the remote server. If you are a “bad guy” or your PC is hacked, you can damage the remote server through the RDP. Therefore, we should not use untrusted PCs to manage servers through RDP (see Network Security: Tier Model and PAW). Few, however, know that with the “correct” setting of the RDP client, there may be a mutual risk. This means RDP server can attack your PC.
So what makes RDP dangerous to the client? It is a local resource redirection feature. This will allow the remote RDP server to access client resources. Redirection of local disks is especially popular – so that the user can access data on his/her PC/NB on a remote server.
Of course, I don’t think we found anything new. The RDP client itself displays a warning message “This remote connection could damage your local or remote computer.” I just found that most people ignore the warning (underestimate it). Therefore, I want to point out the degree of seriousness and simplicity of abuse.
You can see how easily I will abuse the functionality on the video below. But before that I want to point out some interesting features of the attack:
- There is no patch, nor will there ever be a patch: because it is not a bug, but an abuse of the feature of RDP.
- Neither antivirus nor firewall help: standard tools are used to exploit it directly in Windows.
- The only protection is to not to use local resource redirection.
Am I affected?
Basically, anyone who connects to a RDP server that is administered by anyone else should think about the RDP client setting.
I have come up with the following “funny/scary” scenarios:
- Employees connecting to the corporate RDP server from personal computers. At best, only corporate IT departments, or worse, everyone who hacked it, have the opportunity to access employee private data.
- Employees of an outsourcer connecting to the customer’s RDP server. Thus, the customer has the opportunity to access the data of the outsourcer (and to also gain access to other customers – ie their competitors). I would be interested in knowing how is the RDP used by IT providers of our customers using RDP servers of the customer. 😊
- Hackers connecting to a “hacked” server. g. to make a testing “RDP server” and publish at Pastebin.com, I am confident that the first “hackers” would join in a matter of hours. But the joke is going to that they are going to be the ones hacked. 😊
Since the demonstration is much better than mere theory, I have prepared a short demonstration video for you. You’ll see how simple and fast the attack is.
What to do about it?
The defense is to not to use RDP to redirect local resources. Or to reduce them as much as possible. For example, redirect only a dedicated disk. Also, disable sharing of other devices (audio, clipboard, printer, plug & play). We have disabled the redirection of most local resources globally in our RDM manager (see password management).
What do you think? Have you been aware of the possibilities of exploiting the redirection feature of local resources?