He Said, She Said – Poisoned RDP Offense and Defense

Presented at Black Hat USA 2019, Aug. 7, 2019, 4 p.m. (50 minutes)

It's safe to assume that many people reading this text have heard of using the Remote Desktop Protocol (RDP) to connect to other machines. But has anyone ever considered that merely using RDP can compromise their own computer?

In this talk, we will not be covering a typical RDP vulnerability where a server is attacked - instead, we will show that just by connecting to a rogue machine, your own host can be reliably and silently compromised. Although there are numerous vulnerabilities in popular open source RDP clients, this talk heads straight for the crown jewel: the Microsoft Terminal Services Client, or MSTSC.EXE. Together, we will take a deep dive into the main synchronized resource between the client and the server: the clipboard. At the end of this journey, we will discover an inherent design problem with this resource synchronization, a design problem also inherited by Hyper-V.

For attackers, this design flaw enables new ways of escaping the sandbox. For defenders, there is a way to fight back. With the right optics, this technique can be detected using internal Windows telemetry.

In this collaborative talk, researchers from Check Point and Microsoft share the inside story of the attack from both the offensive and defensive perspectives.

Presenters:

• Eyal Itkin - Vulnerability Researcher, Check Point Software Technologies
  Eyal Itkin is a vulnerability researcher in the Malware and Vulnerability Research group at Check Point Software Technologies. Eyal has an extensive background in security research, that includes years of experience in embedded network devices and protocols, bug bounties from all popular interpreter languages, and an award by Microsoft for his CFG enhancement white paper. When not breaking I2P or FAX, he loves bouldering, swimming, and thinking about the next target for his research.
• Dana Baril - Security Software Engineer, Microsoft
  Dana Baril is a security software engineer with experience in some of the world's leading technology giants. She started her career in an elite Israeli military cyber intelligence unit, proceeded to a big data startup, and then joined Google in its Zurich HQ. For the past 3 years she has been working on Windows Defender Advanced Threat Protection at Microsoft, researching and developing new cyber security threat detections. Dana is passionate about Operating Systems and Windows Internals. Dana is an active volunteer with high school students, training the next generation of cyber security experts in Israel.

Links:

• https://www.blackhat.com/us-19/briefings/schedule/#he-said-she-said--poisoned-rdp-offense-and-defense-15602
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/He Said, She Said - Poisoned RDP Offense and Defense.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/He Said, She Said - Poisoned RDP Offense and Defense.en.transcribed.srt (subtitles)
• https://www.youtube.com/watch?v=3wncyS-QOBk

Similar Presentations:

• DEF CON 31 (2023) / I Watched You Roll the Die: Unparalleled RDP Monitoring Reveal Attackers Tradecraft
• DerbyCon 9.0 Finish Line (2019) / Welcome to the Jumble: Improving RDP Tooling for Malware Analysis and Pentesting
• Black Hat Europe 2019 / Fuzzing and Exploiting Virtual Channels in Microsoft Remote Desktop Protocol for Fun and Profit