A way to bypass the Windows lock screen on RDP sessions
Recently, a security researcher revealed the details of a new vulnerability in the Microsoft Windows Remote Desktop Protocol (RDP).
Vulnerability CVE-2019-9510 allows attackers on the client side to bypass the lock screen in remote desktop sessions.
Joe Tammariello of the Software Engineering Institute at Carnegie Mellon University discovered this vulnerability. To exploit this vulnerability, it is necessary that Network Level Authentication (NLA) is used for RDP authentication. By the way, it was NLA that Microsoft itself recently recommended to protect the BlueKeep RDP vulnerability (CVE-2019-0708).
')
As Will Dormann confirms, an analyst from CERT / CC, if the network anomaly causes a temporary disconnection of the RDP when the client is already connected to the server, but the login screen is locked, then “after reconnection, the RDP session will be restored to its previous state ( with the unlocked window), regardless of how the remote system was left. "
“Beginning with Windows 10 1803 and Windows Server 2019, NLA-based RDP session handling has changed in a way that can lead to unexpected behavior regarding session locking,” explains Dormann in his article .
“Two-factor authentication systems that integrate with the Windows login screen, such as Duo Security MFA, can also be bypassed using this mechanism. Any sign-in banners used by the organization will also be bypassed. ”
Video from Leandro Velasco of KPN Security Research Group, demonstrating how easy it is to exploit this vulnerability.
CERT describes the attack scenario as follows:
This means that exploiting this vulnerability is very trivial, since an attacker simply needs to break the network connection of the target system.
However, since the attacker needs physical access to such a target system (that is, an active session with a locked screen), the script itself fits into a very limited number of cases.
Tammariello notified Microsoft about this vulnerability on April 19, but the company responded that “the behavior does not comply with Microsoft Security Servicing Criteria for Windows”, which means that the technical giant does not plan to fix the problem in the near future.
However, users can protect themselves from the potential use of this vulnerability by blocking the local system instead of the remote system and disabling remote desktop sessions instead of simply blocking.
Vulnerability CVE-2019-9510 allows attackers on the client side to bypass the lock screen in remote desktop sessions.
Joe Tammariello of the Software Engineering Institute at Carnegie Mellon University discovered this vulnerability. To exploit this vulnerability, it is necessary that Network Level Authentication (NLA) is used for RDP authentication. By the way, it was NLA that Microsoft itself recently recommended to protect the BlueKeep RDP vulnerability (CVE-2019-0708).
')
As Will Dormann confirms, an analyst from CERT / CC, if the network anomaly causes a temporary disconnection of the RDP when the client is already connected to the server, but the login screen is locked, then “after reconnection, the RDP session will be restored to its previous state ( with the unlocked window), regardless of how the remote system was left. "
“Beginning with Windows 10 1803 and Windows Server 2019, NLA-based RDP session handling has changed in a way that can lead to unexpected behavior regarding session locking,” explains Dormann in his article .
“Two-factor authentication systems that integrate with the Windows login screen, such as Duo Security MFA, can also be bypassed using this mechanism. Any sign-in banners used by the organization will also be bypassed. ”
Proof of concept
Video from Leandro Velasco of KPN Security Research Group, demonstrating how easy it is to exploit this vulnerability.
CERT describes the attack scenario as follows:
- The user connects to Windows 10 or Server 2019 via RDS.
- The user locks the remote session and leaves the client device unattended.
- At this stage, an attacker who has access to the client device can interrupt the connection to the network and gain access to the remote system without the need for any credentials.
This means that exploiting this vulnerability is very trivial, since an attacker simply needs to break the network connection of the target system.
However, since the attacker needs physical access to such a target system (that is, an active session with a locked screen), the script itself fits into a very limited number of cases.
Tammariello notified Microsoft about this vulnerability on April 19, but the company responded that “the behavior does not comply with Microsoft Security Servicing Criteria for Windows”, which means that the technical giant does not plan to fix the problem in the near future.
However, users can protect themselves from the potential use of this vulnerability by blocking the local system instead of the remote system and disabling remote desktop sessions instead of simply blocking.
Source: https://habr.com/ru/post/454928/
All Articles