Search using:Eyal has disappeared
Review
In 2019, we published our research on the reverse RDP attack:1. dioe2. dio. In these blog posts, we describe how we found some critical vulnerabilities in popular Remote Desktop Protocol (RDP) clients. In addition, we focused on the Path-Traversal vulnerability we found in Microsoft's RDP client, a vulnerability that also affected guest-host VM escape in Hyper-V Manager.
Testing the applicability of our findings to Microsoft's RDP client for MacOS, we made an interesting discovery: not only can we ignore Microsoft's patch, butlospath canonicalization check performed according to Microsoft best practices.
Important note:Microsoft's Path-Traversal kernel control bypass vulnerability still existsIt's not he is. More details can be found in Microsoft's official response at the end of this blog. Due to the impact of this vulnerability, we urge all software developers and security researchers to be aware of this issue and ensure that their own software projectscorrect manually.
Bornthe second partfrom our post Reverse RDP Attack we will take a detailed lookcorrectionissued by Microsoft for our vulnerability (CVE-2019-0887). A patch would be relatively easy, since the Path-Traversal vulnerability was caused by a lack of sanity checks on file paths in the input file.FileGroupDescriptorWbuffer format. Microsoft has followed its best practice and added role-based validationPadCchCanonicalizar, as shown in Figure 1:
Picture 1: PadCchCanonicalizaris used to calculate the canonical form for each file name.
If successful, the canonical output is compared to the original filename and any discrepancy between the two will result in an error. This means if our file name contains pattern strings.from.., is changed when converting to canonical form, so no validation is performed.
We assumed that this patch meant that the vulnerability was indeed fixed, and we even mentioned it in our previous blog post: "...the fix matches our initial expectations, our Path Traversal vulnerability is now resolved."
When researching different RDP clients we decided to focus onworking surface,Free RDPand Microsoft's integrated client (Mstsc.exe). We didn't review MacOS-specific RDP clients at the time because we've heard that MacOS users often use one of the open source clients mentioned above. To our surprise, in October 2019, after our survey was marked "complete", we were contacted by Chris Risvik from Mnemonic. After you have seen our presentation onBlack hatAs Chris read more about our research, he started playing around with Microsoft's RDP client on his MacOS and discovered some interesting behaviors. This behavior led Chris to believe that CVE-2019-0887 might also apply to Microsoft's RDP client and decided to contact us.
Surprised to hear about Microsoft's integrated RDP client for macOS and intrigued by its findings, we decided it was worth a look. Since we already had the configuration to exploit the Path-Traversal vulnerability, all we had to do was buy a Mac computer and use Microsoft's RDP client for MacOS to connect to our existing malicious RDP server. Here it got even more interesting.
It so happened that our MacOS researcher arrived at the office a little late on the day scheduled for this experiment. Since he usually arrives first, this was a rare stroke of luck. While I was waiting for it to arrive, I decided to update the exploit configuration on the server. So far we have used Windows paths (abc). Since we would be going the macOS route, I thought it would be better to use slashes in our exploit instead of backslashes:abc.
After modifying the exploit configuration file, we tested the configuration locally with 2 Windows computers to confirm that everything still works. The original exploit (using\) was successfully blocked by Microsoft's patch, resulting inexplorer.exeto be stuck. Out of curiosity, we also tested a modified exploit (using/) and surprisingly,exploit succeeded. Simple replacement\for/on our malicious RDP server it was enough to bypass Microsoft's patch!
observing:When we later tested the MacOS RDP client, we saw that it was implemented with better security; and is not vulnerable to CVE-2019-0887. It goes to show that you can never predict where the research manager will take you and what vulnerabilities you will discover along the way.
Intrigued by this unexpected behavior, we decided to put together a simple test program that focuses exclusively on Microsoft's main canonicalization feature:PadCchCanonicalizar. In Figure 2 we can see a naive verification:
Figure 2:TestPadCchCanonicalizarversus the backslash path (\).
As expected, the result was: "The canonical string is:Mal. batand status code:0.”
We then run the same test with a path that uses slashes (/), as can be seen in Figure 3:
Figure 3:TestPadCchCanonicalizaragainst the forbidden path (/).
To our surprise, the result was: "The canonical string is:../../Evil.batand status code:0.”
It appears to bePadCchCanonicalizar, a feature mentioned in the Windows Best Practices Guide on Enemy Path Canonicalization,ignoreslashes! We later confirmed this behavior by reverse-engineering Microsoft's implementation of the feature and saw that the path was split into pieces, looking only for\and ignore/.
To get an idea of the implications of this vulnerability beyond the scope of RDP, we looked at how Microsoft recommends handling directory traversal attempts, such as... The search led us toPadCcCanonicalizar. This feature claims to do just that on MSDN, but is actually deprecated due to a potential buffer overflow vulnerability:
Figure 4:Screenshot from MSDN explaining how to block Path-Traversal attempts using the WinAPI.
The official note specifically directs developers to use itPadCchCanonicalizarinstead, which (as we just showed) can be ignored by using a slash instead of a backslash.
We presented the following challenge to our senior software developers: Implement a function that takes a file path as input and checks if the file is written to a predetermined directory. In other words, use the Windows API and best practices to block Path-Traversal attacks. As expected, the general response we received is shown in Figure 5:
Figure 5:Example code for track repair, always usedPadCchCanonicalizar.
In other words, following Microsoft's best practices, even senior developers used the vulnerable feature and expected to deal with both./e\split roads. This means that there are probably dozens of different projects around the world that are vulnerable to a path traversal attack because they rely on Microsoft's vulnerable path canonicalization feature.
On Unix-based systems, the path separator used is a slash (/), while traditionally Windows uses the backslash character (\). However, since the early days of Windows, it has supported both/e\. So performing any file operation (access/read/write) will work with both separators as if they were\.
The vulnerability we just found is a classic case of implementing integrity checking using a different logic than the one used for the action we want to protect. Somehow the developers of the Windows core file cleanup functionality forgot about Windows support/chars and instead I re-implemented the file path logic, just with support\separators.
We've contacted Microsoft again and released the details of their inadequate fix for CVE-2019-0887, a workaround for a new vulnerability we found inPadCchCanonicalizar. Microsoft confirmed our findings and, inUpdate on Tuesday Februaryreleased a patch for it called:CVE-2020-0655.
Knowing thatPadCchCanonicalizaris insideKernelBase.dll, we were surprised to find outIt's notupdated as part of this month's Windows Update. As shown in Figure 6,Kerberos.dllwas updated during the February update whileKernelBase.dllremained untouched.
Figure 6:Timestamps for Windows.dllfiles that show itKernelBase.dllnot updated.
Not knowing what to expect, we filtered and selected all the files that were updated as part of the patchmstscax.dllas a candidate for a possible solution. If our suspicion is correct, it is possible that Microsoft only patched the attack scenario for RDP clients and overlooked the wider use of the vulnerable API feature.
In Figure 7 we can see that the functionCFormatDataPacker::ValidateFilePaths, added as part of patch CVE-2019-0887, has been changed again:
Figure 7:replacement patch/characters with\characters within the RDP client.
Our first guess was correct. Microsoft fixed the inappropriate patch for CVE-2019-0887 by adding a fixstill vulnerable PadCchCanonicalizarfunction.
We searched for published advice warning users about using the vulnerable path canonicalization feature, but could not find it.MSDNstill recommends users to use this feature when trying to clean up malicious entries.
However, it should be noted that this patch makes sense in the case where file handling in RDP is uniquely different from the rest of the WinAPI. However, after trying the usual WinAPI to process files likecreate a file,Remove the file,Create a folderetc., we can conclude that they have so much respect/ e \, which means that the case of RDP is not at all unique.
Therefore, in our opinionPadCchCanonicalizarit is an ideal place for a patch that aims to block possible Path-Traversal attacks arising from the use/separators.
After reviewing Microsoft's patch, we contacted the MSRC and provided our findings, along with an expected publication date for this research blog. We have not received your comments at this time and have notified you about publishing the blog in this format.
First, due to the dire consequences of improperly patching the RDP vulnerability (CVE-2019-0887), we urge all readers toMicrosoft patch.
However, as we saw when reviewing Microsoft's patch for CVE-2020-0655, this fix does not workBornaddressing the core vulnerabilities of the worldPadCchCanonicalizarfunction. We fear that, as with the reverse RDP scenario just demonstrated, the implications of simply redirecting to a central Windows path sanitizer could pose a serious risk to many other software products.
Therefore, we urge all software developers and security researchers to be aware of this vulnerability and ensure that their own software projects arecorrect manually.
It's still a mystery how a simple Path-Traversal workaround could slip through Microsoft's main path-traversal feature for so many years. We suspect that many developers decided to reinvent the wheel themselves, which is why pen testing found nothing but bugs in many different proprietary implementations. Otherwise, we would expect a regular pen test on a large system dealing with file paths in C code to find this Path-Traversal anomaly.
Once again, we'd like to thank Chris Risvik of Mnemonic whose work led us to take a new look at RDP clients when we finally discovered a vulnerability, if not one, in MacOS RDP clients. As we stated in our earlier conclusion: "This study is a good example showing that a researcher can never know whether a particular research project has ended".