Microsoft Ignored RDP Vulnerability Until it Affected Hyper-V

A vulnerability in Microsoft's Remote Desktop Protocol (RDP) can also be used to escape virtual machines running on Hyper-V, the virtualization technology in Azure and Windows 10.

The bug is a path traversal that leads to remote execution and was reported to Microsoft almost a year ago as affecting only RDP and remained unpatched until recently, when it was discovered that it impacts Microsoft's Hyper-V product.

Initially, Microsoft validated the finding but dismissed a fix motivating that it did "not meet our bar for servicing."

Eyal Itkin from Check Point published in February the technical details about the flaw as part of a larger research that covered multiple RDP vulnerabilities. His focus was on achieving a reverse RDP attack, where the server of a remote connection gains control over the client.

This was possible because two machines connected through RDP share the clipboard, which means that whatever is copied on the remote server can be pasted on the local client.

RDP in Hyper-V virtual machines

A connection between virtualization and remote desktop technology is not immediately apparent, but in the case of Hyper-V, the former relies on the latter for increased functionality.

However, the Enhanced Session Mode in Hyper-V enables an RDP connection to virtual machines. This is used to share devices and files between the two systems.

With Enhanced Session Mode active, the relation between the two products becomes evident as the same settings window is available for both a Hyper-V virtual machine and a remote connection via Microsoft's RDP client (mstsc.exe).

It also serves to synchronize clipboard content, and it is turned on by default. Itkin applied to the Hyper-V context the same proof-of-concept script that demonstrated the flaw in RDP and it worked the same.

In this case, though, the researcher achieved a guest-to-host virtual machine escape. In the PoC video below the researcher shows how simply pasting a file on the host connected to a malicious virtual machine enables the attacker to add a malicious file in the host's Startup folder, thus ensuring execution at the next reboot.

Itkin told BleepingComputer that an attacker could use this vulnerability to compromise computers of privileged users in a company.

By forcing an administrator to connect to a computer or virtual machine under their control, an adversary can escalate the attack.

Presented with the new findings, Microsoft changed its initial stance and issued an identification number (CVE-2019-0887) for the vulnerability and a patch with July's security updates.

If installing the latest updates is only possible at a later time, the researcher says that disabling the shared clipboard, which is on by default, neutralizes the vulnerability.

Details about the attack and the underlying flaw that enabled it are presented at the Black Hat USA security conference where Itkin and Dana Baril, security software engineer at Microsoft, talk from the perspective of both an attacker and a defender.

Microsoft wrote about this vulnerability in an article titled "A case study in industry collaboration: Poisoned RDP vulnerability disclosure and response". 

They also issued the following statement to BleepingComputer:

“A security update was released in July. Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.”