Information

Module: Clipboard channel

Windows Remote Desktop Protocol client (MSTSC.exe) shares the client’s clipboard with the server’s clipboard by default.
This sharing is limited by two sets of black lists:

  1. Black list of known format IDs
  2. Black list of known format names
    The FORMAT_LIST message contains a list of pairs of format identifiers: <format id, format name>.
    Each part of the pair will be filtered using the matching black list.

While programs shouldn’t rely on the specific IDs that were allocated to a given format name, these IDs are practically fixed,
and can be easily deduced in advance by an attacker. For example, “Object Descriptor” is practically always 0xC00E.

A malicious server can send a FORMAT_LIST with the pair <0xC00E, “”>, thus bypassing the named black list and still sending the client a
clipboard format of the forbidden content.

Impact

The black listed named formats represent special meta-data formats used by Windows in various scenarios.
One such use case is the “Paste Special” case. For example, by sending a malformed “Object Identifier” to the client, a server can crash
the client’s Office program when he uses the “Paste Special” feature.



References:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients