Module: Clipboard channel
Windows Remote Desktop Protocol client (MSTSC.exe) shares the client’s clipboard with the server’s clipboard by default.
The support for “copy & paste” of files is part of the clipboard sharing, and consists of special handling for the “CF_HDROP” and “FileGroupDescriptor” clipboard formats.
When a file is copied from the server to the client, the flow is the following:
- A file is copied in the server
- The client is notified that the server has clipboard format of FileGroupDescriptor (the rest fall in the black list)
- The paste operation requests the FileGroupDescriptor from the server
- The server converts this request into a CF_HDROP request from its own clipboard (done inside rdpclip.exe)
- The CF_HDROP data is verified, and converted manually into a FileGroupDescriptor format using the “HdropToFgdConverter::AddItemToFgd()” method
- rdpclip.exe passes the FGD to the RDP service
- The RDP service sends the FGD to the client
- The client TRUSTS the received FGD and stores it in it’s clipboard
- Explorer.exe will now use this tainted data for storing the received files.
A malicious server can send a specially crafted FileGroupDescriptor blob that contains a relative file path of the form “....\some\path”,
thus using a path traversal attack to drop arbitrary files into arbitrary file locations on the client’s computer.