Microsoft released a patch for the Reverse RDP Attack vulnerability (CVE-2019-0887) as part of Patch Tuesday update in July 2019, but it turned out that replacing the backward slashes with forward slashes in paths still bypasses it.
While the Reverse Remote Desktop Protocol (RDP) Attack resulted a client system flaw to a path traversal vulnerability which could be compromised by remotely accessing a server through Microsoft's Remote Desktop Protocol.
The company acknowledged the improper fix and re-issued a patch for the flaw in February 2020 Patch Tuesday update, marked as CVE-2020-0655; though Microsoft added a separate workaround in Windows, it left out the root of the bypass issue, the "PathCchCanonicalize" API function.
Why Microsoft’s core Path-Traversal check still wasn’t fixed?
According to researchers at Check Point, the Path-Traversal vulnerability was due to lack of sanitation checks on the file paths that included inside the incoming FileGroupDescriptorW clipboard format.
Albeit, Microsoft followed their own best practice by adding a validation check based on the function PathCchCanonicalize, which can be seen in below image:
The canonicalized output, if successful is then compared to the original filename, and any mismatch results in an error. That is to say, if the filename contains strings of the form . or .., it changes to the canonicalized form when converted, and thus failing the validity check.
How third-party Clients are Still Vulnerable
As Microsoft neglected to fix the vulnerability in the official API, all programs that were written with Microsoft's best practices will still be vulnerable to a Path-Traversal attack.
The main vulnerability is still not rectified, therefore Check Point cautions that the implications of a simple bypass to a core Windows path sanitation function still poses a serious risk to other software products.
Interestingly, the flaw was discovered when the researchers tried to examine Microsoft's Remote Desktop client for Mac, which RDP client was left out from the initial analysis last year, and surprisingly, the macOS RDP client in itself isn't vulnerable.
No comments