CPRID-2013
Information
Module: Clipboard channel
Windows Remote Desktop Protocol client (MSTSC.exe) shares the client’s clipboard with the server’s clipboard by default.
This sharing is limited by two sets of black lists:
- Black list of known format IDs
- Black list of known format names
The FORMAT_LIST message contains a list of pairs of format identifiers: <format id, format name>.
Each part of the pair will be filtered using the matching black list.
While programs shouldn’t rely on the specific IDs that were allocated to a given format name, these IDs are practically fixed,
and can be easily deduced in advance by an attacker. For example, “Object Descriptor” is practically always 0xC00E.
A malicious server can send a FORMAT_LIST with the pair <0xC00E, “”>, thus bypassing the named black list and still sending the client a
clipboard format of the forbidden content.
Impact
The black listed named formats represent special meta-data formats used by Windows in various scenarios.
One such use case is the “Paste Special” case. For example, by sending a malformed “Object Identifier” to the client, a server can crash
the client’s Office program when he uses the “Paste Special” feature.
References:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients