Reverse RDP attacks: How to protect your organization

A remote PC infected with certain malware could take over a client that tries to connect to it, says Check Point Research. Here's how to prevent it.

The weird challenges tech support teams face to keep remote workers online
5:10

Microsoft's Remote Desktop Protocol is a pervasive technology built into Windows that allows client PCs and devices to remotely access and control remote computers. But RDP is also a vulnerable technology that has been beset by various security flaws and weaknesses. Hackers like to take advantage of these flaws to target remote desktop accounts and services as a way to infiltrate an organization. A new report by cyber threat intelligence provider Check Point illustrates a specific type of attack known as Reverse RDP.

In a blog post published Thursday, Check Point explained how a Reverse RDP attack works. In this example, an IT staffer tries to connect to a remote computer at the office. However, this computer has already been infected by a particular type of malware. The malware gives the remote PC the ability to attack the IT staffer's computer. This kind of attack is referred to as Reverse RDP because the users think they're controlling the remote PC, but in fact, the opposite is true.

SEE: How to work from home: IT pro's guidebook to telecommuting and remote work (TechRepublic Premium) 

At Black Hat 2019, Check Point researchers revealed the Reverse RDP vulnerability, proving that a malware-infected remote computer could take over any client PC that connects to it. In October 2019, Microsoft issued a patch (CVE-2019-0887) to correct this flaw. Upon investigation, Check Point learned that the patch itself had certain security holes that would let someone sneak past the fix and recreate the initial exploit. In February 2020, Microsoft released a new patch (CVE 2020-0655) to more effectively correct the Reverse RDP flaw.

However, Check Point discovered an additional vulnerability related to RDP. A Microsoft Windows API function known as "PathCchCanonicalize" is supposed to offer applications the necessary protection against a threat known as Path-Traversal attacks. In these types of attacks, a hacker tricks an application on a computer into reading and divulging the contents of files outside of the root directory used by that application. Without this protection, attackers could gain access to sensitive data in different parts of the file system, allowing them to modify critical files.

In its research, Check Point was able to bypass the official API of Windows that protects against Path-Traversal attacks. Although the initial Reverse RDP flaw was eventually patched correctly, other programs that use the PathCchCanonicalize function are vulnerable to the same type of attack. Check Point said that it has contacted Microsoft with its latest findings.

SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic)

To protect your organization against these types of attacks, Omri Herscovici, Vulnerability Research Team leader at Check Point, offers the following commentary:

"Our discovery should be considered in two parts," Herscovici said. "The first part is that IT staff in large enterprises that use Windows should install Microsoft's February Patch, CVE 2020-0655, to make sure their RDP client is protected against the attack we've presented in BlackHat USA 2019. The second part is addressed to developers worldwide. Microsoft neglected to fix the vulnerability in their official API, and so all programs that were written according to Microsoft's best practices will still be vulnerable to a Path-Traversal attack. We want developers to be aware of this threat, so that they could go over their programs and manually apply a patch against it."

Also see

Hands in gloves typing on the laptop keyboard. Virus protection concept

Image: Lazy_Bear, Getty Images/iStockphoto