The bug is a remote implementation route that was reported to Microsoft almost a year ago as having only an effect on RDP and was unpatched until recently, when it was found that it had an influence on the Hyper-V product in Microsoft. Microsoft initially validated the finding but rejected a fix that “did not fulfill our service bar.” Eyal Itkin of Check Point released the technical information of the error in February as part of a major study covering several RDP vulnerabilities. He focused on the inverse RDP attack in which a remote server gains control of the client. This was because two RDP connected machines share the clipboard, so everything copied on the remote server can be pasted onto the local client.
RDP in virtual Hyper-V computers
There is an immediate link between virtualization and remote desktop technology, but Hyper-V depends on Hyper-V to enhance its functionality. However, Hyper-V improved session mode allows an RDP connection to virtual machines. The instruments and files are shared between the two systems. With enhanced session mode active, the relationship between the two products is apparent because both a virtual Hyper-V computer and a remote link via Microsoft’s RDP customer (mstsc. Exe) have the same settings window.
It also synchronizes the content of the clipboard and is enabled by default. Itkin used the same proof-of-concept script for the Hyper-V context that showed RDP fault and worked the same way. In this situation, however, the investigator has accomplished a virtual escape guest-to-host. The video on the PoC below demonstrates how the attacker can add a malicious file into the Host Startup directory by merely pasting a host-connected file to a malicious virtual machine, ensuring implementation on the next boot. Itkin informed BleepingComputer that a vulnerability could be used by an attacker to compromise computers of privileged business customers. By forcing an administrator under their command to link to a desktop or virtual machine, an opponent can escalate the assault. Presented with fresh results, Microsoft has altered its original position and released a vulnerability identification number (CVE-2019-0887) and July safety updates patch. If only subsequent updates can be installed, the investigator claims the default disabling of the shared clipboard will neutralize the vulnerability. Information on the attack and its inherent flaw is provided at the Black Hat US Security Conference where Itkin and Dana Baril, Microsoft’s safety software engineer, both speak from a defender’s point of view. In an article titled “Case Study in Industrial Collaboration: Poisoned RDP vulnerability disclosure and reaction,” Microsoft wrote on this vulnerability. The following declaration was also given to BleepingComputer: