Information

Module: Clipboard channel

Windows Remote Desktop Protocol client (MSTSC.exe) shares the client’s clipboard with the server’s clipboard by default.
The support for “copy & paste” of files is part of the clipboard sharing, and consists of special handling for the “CF_HDROP” and “FileGroupDescriptor” clipboard formats.

When a file is copied from the server to the client, the flow is the following:

  1. A file is copied in the server
  2. The client is notified that the server has clipboard format of FileGroupDescriptor (the rest fall in the black list)
  3. The paste operation requests the FileGroupDescriptor from the server
  4. The server converts this request into a CF_HDROP request from its own clipboard (done inside rdpclip.exe)
  5. The CF_HDROP data is verified, and converted manually into a FileGroupDescriptor format using the “HdropToFgdConverter::AddItemToFgd()” method
  6. rdpclip.exe passes the FGD to the RDP service
  7. The RDP service sends the FGD to the client
  8. The client TRUSTS the received FGD and stores it in it’s clipboard
  9. Explorer.exe will now use this tainted data for storing the received files.

A malicious server can send a specially crafted FileGroupDescriptor blob that contains a relative file path of the form “..\..\some\path”,
thus using a path traversal attack to drop arbitrary files into arbitrary file locations on the client’s computer.



References:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0887
https://research.checkpoint.com/reverse-rdp-the-hyper-v-connection/