Although most people seem to share entire drives with RDP, it is possible to share individual folders, by mapping them to a drive for example with subst <lettertomap>: <pathtofolder>
(for other ways see raymond.cc ).
Obvious commands such as ..\
do not appear to allow "escaping" from the folder (reading or interacting with other parts of the file system) from the remote machine, at least when mapping with subst
.
It actually appears that the ..\
sequences are ignored (e.g. if there is a <mapped drive>\a folder,
dir :....\a` lists its contents).
I also made a couple of tests with the ps* utilities, none of which succeeded in accessing anything, but it might well have been due to the particular configuration/firewall of my local system.
In any case, this is far from a complete vulnerability assessment, so I ask you:
Are there any features or vulnerabilities that allow to "escape" from the folder (to its parent or other folders) from the remote machine? If yes, what are they?
Limits:
I don't restrict the question to the currently supported Windows versions, do post vulnerabilities that affect only older ones.
I do restrict it to Windows mstsc.exe clients, I imagine that each other client/operating systems has its own way of implementing the feature.
And I do restrict it to mapping folders through native Windows features, though I'd consider any native win32 or .NET Framework feature fair game, and so rule out only utilities that install drivers of their own.
I would leave out file-based attacks that cause malicious code to run by the licit (permitted by the shared folder's ACLs) addition or modification of files (through vulnerabilities in the local shell, shell extensions, drivers etc.), since it's fairly obvious that they apply.
If you happen to have some convenient list of them, though, do include it in the answer, as a bonus to the readers, so as to give them a more complete idea of the feature's security.
One thing which would for sure be interesting to know instead is what kinds of file system modifications RDP allows: only file contents and names, or also ACLs, streams etc.? This could allow one to delimit the range of attacks that are applicable. So do include this information if you are aware of it.
Note 1: I realize that this question is largely about the "security" of the mapping features themselves. I considered asking about that first, but such a question would be more complex to explain and would have an unnecessarily broader scope (unnecessarily since a "vulnerability" in the mapping only becomes a problem when used in applications such as RDP).
Note 2: this question is somewhat similar to mine, but is more generic and ended up devolving in other things, so I think it's correct to post this new one.