Companies like Microsoft have made significant investments in their abilities to respond to vulnerability reports, fix the issues, and regularly release security updates. Despite their best efforts, patches are sometime incomplete, and they have to go back and fix the same flaw again.
That appears to be the case for a security vulnerability in Remote Desktop Protocol (CVE 2020-0655) that Microsoft fixed back in February. The update fixed the problem in the built-in Windows RDP client, but not the underlying issue in the application programming interface (API), said Check Point, the company which discovered the original vulnerability (originally tracked as CVE-2019-0887). While the update addresses the flaw in the Windows client, third-party RDP clients that rely on the API function “PathCchCanonicalize” remain vulnerable.
Attackers can still access sensitive information, modify critical files, steal password files, expose application source code, and other malicious activities. Check Point said.
The original vulnerability, which Check Point reported last summer, could be exploited to trigger a “reverse RDP attack,” where an attacker with control over the RDP server could manipulate the RDP client. Typically, RDP is used so that someone can access a remote Windows machine remotely and perform actions on the server. In this case, the process was reversed, so that if an attacker could trick a victim into connecting to a remote server over RDP, the attacker could access, read, and manipulate files they normally wouldn’t be able to access.
If an IT staff member tried to connect to a remote corporate computer that was infected by malware, the malware would be able to follow the RDP connectoin back to attack the IT staff member's computer, Check Point said.
Microsoft fixed the flaw in the RDP client by adding a workaround in Windows, but left the “PathCchCanonicalize” function unchanged, Check Point said. The API function is used to sanitize file paths, to make sure that user-provided inputs are properly formatted and valid. The researchers found that the function could be bypassed if the attacker used the forward slash in the file path rather than a backwards slash. This meant attackers could carry out path traversal attacks, where the attacker could save the file into any location on the victim machine because the program accepted the file without first verifying it.
In essence, it meant that an attacker could use the shared RDP clipboard to send files to an arbitrary location on the victim machine and remotely execute those files.
"In CVE-2020-0655, Microsoft addressed the '\' issue independently in the RDP handling code, without fixing the PathCchCanonicalize function," Check Point said.
Check Point discovered this when testing the RDP client for MacOS. Other third-party RDP clients that rely on Microsoft’s API function are vulnerable because the attacker can bypass the code that sanitizes and validates file paths.
“The simple replacement of \ to / in our malicious RDP server was enough to bypass Microsoft’s patch!” Check Point said.
The update itself is effective in addressing the vulnerability as it relates to Microsoft's built-in RDP client, but IT staff should be aware that the other RDP clients may be impacted. Developers of these clients should fix their applications manually since the filepaths are not being sanitized properly at this time.
"We want developers to be aware of this threat, so that they could go over their programs and manually apply a patch against it," Check Point said.
The February patch is actually Microsoft’s second attempt at addressing the vulnerability. The original security update was released last July, and Microsoft followed up with another update in February after researchers found that they were able to bypass the patch. Check Point said it had notified Microsoft about the latest issues with the patch, but had not yet received a response.
“Not only can we bypass Microsoft’s patch, we can bypass any path canonicalization check performed according to Microsoft’s best practice,” Check Point said.