He Said, She Said – Poisoned RDP Offense and Defense

Presented at Black Hat USA 2019, Aug. 7, 2019, 4 p.m. (50 minutes).

It's safe to assume that many people reading this text have heard of using the Remote Desktop Protocol (RDP) to connect to other machines. But has anyone ever considered that merely using RDP can compromise their own computer?

In this talk, we will not be covering a typical RDP vulnerability where a server is attacked - instead, we will show that just by connecting to a rogue machine, your own host can be reliably and silently compromised. Although there are numerous vulnerabilities in popular open source RDP clients, this talk heads straight for the crown jewel: the Microsoft Terminal Services Client, or MSTSC.EXE. Together, we will take a deep dive into the main synchronized resource between the client and the server: the clipboard. At the end of this journey, we will discover an inherent design problem with this resource synchronization, a design problem also inherited by Hyper-V.

For attackers, this design flaw enables new ways of escaping the sandbox. For defenders, there is a way to fight back. With the right optics, this technique can be detected using internal Windows telemetry.

In this collaborative talk, researchers from Check Point and Microsoft share the inside story of the attack from both the offensive and defensive perspectives.


Presenters:

  • Dana Baril - Security Software Engineer, Microsoft
    Dana Baril is a security software engineer with experience in some of the world's leading technology giants. She started her career in an elite Israeli military cyber intelligence unit, proceeded to a big data startup, and then joined Google in its Zurich HQ. For the past 3 years she has been working on Windows Defender Advanced Threat Protection at Microsoft, researching and developing new cyber security threat detections. Dana is passionate about Operating Systems and Windows Internals. Dana is an active volunteer with high school students, training the next generation of cyber security experts in Israel.
  • Eyal Itkin - Vulnerability Researcher, Check Point Software Technologies
    Eyal Itkin is a vulnerability researcher in the Malware and Vulnerability Research group at Check Point Software Technologies. Eyal has an extensive background in security research, that includes years of experience in embedded network devices and protocols, bug bounties from all popular interpreter languages, and an award by Microsoft for his CFG enhancement white paper. When not breaking I2P or FAX, he loves bouldering, swimming, and thinking about the next target for his research.

Links:

Similar Presentations: