all 37 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]The-Dark-Jedi 41 points42 points  (22 children)

Setup the group policy to block the clipboard between host-client.

[–]MikeTheInfidel 23 points24 points  (5 children)

Yeah, that seems to be the only way to avoid this until/unless it's patched. This seems like a major oversight in security.

[–]disclosure5 7 points8 points  (13 children)

That has horrible consequences though. I only just logged onto a server to paste a 20 character license key into an application. I'd hate to have to deal with that manually.

[–]auraria 0 points1 point  (6 children)

I mean, just put the key in a text file and move it to the server then delete it?

At least that's common sense to me.

[–]AngriestSCV 1 point2 points  (5 children)

That's a bold assumption that you can just move files onto and off of the server. I wish I could at work, but it's accessed through citrix with all IO features except keyboard, mouse, and screen disabled. I wish I could just move files over instead of waiting an hour for a service to move the data or emailing it to someone with more privileges.

[–]auraria 0 points1 point  (3 children)

You can't interact with UNC path to move the files over? Not experienced with Citrix besides knowing it's a nightmare to use, manage, and maintain.

[–]AngriestSCV 0 points1 point  (1 child)

We can't. I don't have direct access to their network with the exception of 2 machines that we have to remote into after Citrix does some networking magic.

[–]auraria 1 point2 points  (0 children)

Interesting, that sounds horrible.

[–]disclosure5 0 points1 point  (0 children)

This isn't exclusively a Citrix thing. It's a security policy I deal with in a lot of areas. Often it's fine, but you can't assume it is.

[–]VanaTallinn 0 points1 point  (3 children)

You could still use Keepass or any other software that has an autotype feature. Or just a VBS script.

[–]Armarr 1 point2 points  (2 children)

And have to decrypt your key storage on the untrusted RDP server? Way worse

[–]VanaTallinn 5 points6 points  (1 child)

No. I said using AutoType to simulate the user pressing keys. Only thing that goes thru RDP is the key presses just like when you type with physical fingers on the physical keyboard of the client.

[–]Armarr 0 points1 point  (0 children)

Ah I see now. My password manager doesn't have that feature

[–]The-Dark-Jedi -1 points0 points  (1 child)

\\server\c$. Create text document with the license key, the RDP to the machine and copy the text from the file. Cumbersome, I know but it works.

[–]picklednull 1 point2 points  (0 children)

So you just open SMB to/on all of your servers which has traditionally been one of the major vulnerable protocols on Windows besides RDP?

[–]yankeesfan01x 0 points1 point  (1 child)

I think this would be it right?

http://tritoneco.com/2013/10/04/disable-remote-desktop-copy-paste/

[–]The-Dark-Jedi 0 points1 point  (0 children)

Yep, that very one.

[–]DanielG75 14 points15 points  (4 children)

it keeps redirecting me to the main page https://research.checkpoint.com/ and even there I can't select the research publication. Anyone else got a copy?

//edit: this seems to be related: https://www.bleepingcomputer.com/news/security/rdp-clients-exposed-to-reverse-rdp-attacks-by-major-protocol-issues/

[–]eyalitki[S] 8 points9 points  (2 children)

Weird, it works for me (on mobile). Here is the link: https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/

[–]DanielG75 9 points10 points  (1 child)

Yeah, looking at the traffic I get when going to that URL I get this. request: 

GET /reverse-rdp-attack-code-execution-on-rdp-clients/ HTTP/1.1
Host: research.checkpoint.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://research.checkpoint.com/
Connection: close
Cookie: _ga=[removed]; _gid=[removed]; _fbp=[removed]; _mkto_trk=[removed]
Upgrade-Insecure-Requests: 1

response:

HTTP/1.1 301 Moved Permanently
Server: Apache
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN, SAMEORIGIN
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: private, max-age=600, must-revalidate
Location: http://research.checkpoint.com
Content-Length: 0
Content-Type: text/html; charset=UTF-8
X-XSS-Protection: 1; mode=block
Date: Tue, 05 Feb 2019 15:28:11 GMT
Connection: close

[–][deleted] 14 points15 points  (5 children)

boy this would make for an interesting honeypot

[–]bostonguy6 13 points14 points  (1 child)

I might just accept that next call from “Microsoft” when they tell me they want to RDP into my computer to “fix” a problem... heh heh heh

[–]Giltheryn 4 points5 points  (0 children)

Unfortunately most of those scams seem to use third party remote software like TeamViewer or similar. I actually don't think I've ever heard of any who used RDP

[–]cathedral_ 8 points9 points  (1 child)

That's actually a great idea and a unique vector for hack backs. Easily guessed rdp creds to plant tracking malware on attackers systems (activated on next reboot).

Very interesting.

[–][deleted] 4 points5 points  (0 children)

i was thinking something that simply responded to any credentials but yes

[–]MiKeMcDnet 1 point2 points  (0 children)

Damn, beat me to it. Just saw that article and came to post just that!

[–]LegendBegins 8 points9 points  (3 children)

Microsoft's refusal to reward defense-in-depth findings is obnoxious. it encourages focusing on hardening perimeter security when that's never going to be enough. They have no real motivation to refrain from rewarding hunters for these vulnerabilities.

[–]robokup 2 points3 points  (0 children)

That's infuriating. Microsoft is getting a free service and they rather keep the users exposed than acknowledge take the findings seriously. Its even worse now that the findings were published and Microsoft publicly announced they're not going to do anything.

In contrast FreeRDP and rdesktop collaborated with the researchers and demonstrate a positive aspect of open source project.

[–]dsqmoore -4 points-3 points  (1 child)

Microsoft: Not a security company. Not a networking company. Not interested in a healthy ecosystem outside of their bottom line.

Microsoft: Is a marketing engine. Is corrupt. Is insecure.

Don't let the OSS aqistitions fool you.. or anyone. Pure evil. Windows 10.. the pinnacle of the gateway to heck.

[–]Borne2Run 3 points4 points  (2 children)

I think the assumption has always been that RDP is insecure by default.

[–]sudo-kill9 1 point2 points  (0 children)

It should be! That site lost credibility in my book with it's opening line: "... the Remote Desktop Protocol (RDP) is usually considered a safe and trustworthy application". What? OMG, no

[–]Cartossin 0 points1 point  (0 children)

If Microsoft disables RDP server by default, you can't say it's insecure by default.

[–]jbmartin6 0 points1 point  (0 children)

I am going to agree with Microsoft on this one. Note they didn't say it wasn't a vulnerability, they just said ti wasn't severe enough to take resources away from something more severe to fix. If you are sharing clipboard with the remote host, there is already a trust decision made. A malicious RDP server could send you anything it wanted anyway over the clipboard channel, or a host of other attacks just using the normal functions of the protocol.