-1

It is obvious that the machine that is receiving a connection is exposed to malicious actions, but is there a risk for the machine that is remoting in, as a virus or worm spread through this connection?

Mycroft
  • 747
  • 3
  • 8
  • 23

1 Answers1

1

Yes. Network clients are just as subject to parser or logic errors as network servers are. The server is sending your client complex structured data that needs to be processed and passed to other components (such as the display, speakers, etc.). In fact, the only difference between attacking clients and servers is that the attacker must wait for you to come to them, whereas an attacker can go to a client.

The most common clients to attack are web browsers, of course; people try to compromise those all the time (and frequently succeed, since the attack surface of a browser is enormous). RDP clients are probably a little less attackable than web browsers - no JS engine or anything similar - but they are also much less hardened (for example, they often don't run in a sandbox).

In addition to attacking security vulnerabilities in the code of an RDP client, a malicious server could also try to compromise the client's computer through features of RDP. For example, RDP allows the client to sync the clipboard (could give the attacker access to sensitive data) and even to expose local drives as network drives on the server (which the server could then read from or write to) and/or expose some types of peripherals such as smart cards and other security devices (which the server could use as though it was the client).

Note that this is not a comprehensive list of ways to attack an RDP client. However, if you're connecting to a server you think may be malicious, there's a number of things you can do that might help:

  • Use a sandboxed RDP client, or run the client in VM or other sandbox.
  • Disable any sharing/sync features you don't absolutely need, in particular disable access to the local file system.
  • Disable other features that could increase attack surface, such as audio forwarding or fancy graphics options (RDP has at least experimented with allowing Direct3D code from apps running on the server to be executed on the client, which would allow attacking the GPU / graphics driver, for example).

Additionally, you should make sure you're connecting to the server you expect. Modern versions of RDP use asymmetric cryptography to identify themselves (similar to TLS or SSH servers) and encrypt the connection; if you can, get ahold of the server's certificate and mark it as trusted, and if the client says it doesn't recognize the server's cert, don't complete the connection.

CBHacking
  • 40,303
  • 3
  • 74
  • 98