Way to Bypass Windows Lock Screen on RDP Sessions
The other day, a security researcher revealed the details of a new vulnerability in the Microsoft Windows Remote Desktop Protocol (RDP).
Vulnerability CVE-2019-9510 allows attackers on the client side to bypass the lock screen in remote desktop sessions.
Joe Tammariello of the Carnegie Mellon University Software Development Institute discovered this vulnerability. To exploit the vulnerability, Network Level Authentication (NLA) is required for RDP authentication. By the way, it was NLA that Microsoft itself recently recommended to protect against vulnerability BlueKeep RDP (CVE-2019-0708).
As Will Dormann, an analyst at CERT / CC confirms, if a network anomaly causes a temporary RDP disconnect when the client has already been connected to the server but the login screen is locked, “after reconnecting, the RDP session will be restored to its previous state ( with the window unlocked), no matter how the remote system was left. "
“Starting with Windows 10 1803 and Windows Server 2019, NLA-based RDP session processing has changed in such a way that it can lead to unexpected behavior regarding session blocking,” Dormann explains in his article .
“Two-factor authentication systems that integrate with the Windows login screen, such as Duo Security MFA, can also work around this mechanism. Any login banners used by the organization will also be bypassed. ”
A video from Leandro Velasco of the KPN Security research team demonstrating how easy it is to exploit this vulnerability.
CERT describes the attack scenario as follows:
This means that exploiting this vulnerability is very trivial, because the attacker just needs to interrupt the network connection of the target system.
However, since an attacker needs physical access to such a target system (i.e., an active session with a locked screen), the script itself approaches a very limited number of cases.
Tammariello notified Microsoft of this vulnerability on April 19, but the company replied that “the behavior does not comply with the Microsoft Security Servicing Criteria for Windows”, which means that the tech giant has no plans to fix the problem in the near future.
However, users can protect themselves from the possible exploitation of this vulnerability by blocking the local system instead of the remote system and disconnecting remote desktop sessions instead of simply locking them.
Vulnerability CVE-2019-9510 allows attackers on the client side to bypass the lock screen in remote desktop sessions.
Joe Tammariello of the Carnegie Mellon University Software Development Institute discovered this vulnerability. To exploit the vulnerability, Network Level Authentication (NLA) is required for RDP authentication. By the way, it was NLA that Microsoft itself recently recommended to protect against vulnerability BlueKeep RDP (CVE-2019-0708).
As Will Dormann, an analyst at CERT / CC confirms, if a network anomaly causes a temporary RDP disconnect when the client has already been connected to the server but the login screen is locked, “after reconnecting, the RDP session will be restored to its previous state ( with the window unlocked), no matter how the remote system was left. "
“Starting with Windows 10 1803 and Windows Server 2019, NLA-based RDP session processing has changed in such a way that it can lead to unexpected behavior regarding session blocking,” Dormann explains in his article .
“Two-factor authentication systems that integrate with the Windows login screen, such as Duo Security MFA, can also work around this mechanism. Any login banners used by the organization will also be bypassed. ”
Proof of concept
A video from Leandro Velasco of the KPN Security research team demonstrating how easy it is to exploit this vulnerability.
CERT describes the attack scenario as follows:
- The user connects to Windows 10 or Server 2019 through RDS.
- The user blocks the remote session and leaves the client device unattended.
- At this point, an attacker with access to a client device can interrupt a network connection and gain access to a remote system without the need for any credentials.
This means that exploiting this vulnerability is very trivial, because the attacker just needs to interrupt the network connection of the target system.
However, since an attacker needs physical access to such a target system (i.e., an active session with a locked screen), the script itself approaches a very limited number of cases.
Tammariello notified Microsoft of this vulnerability on April 19, but the company replied that “the behavior does not comply with the Microsoft Security Servicing Criteria for Windows”, which means that the tech giant has no plans to fix the problem in the near future.
However, users can protect themselves from the possible exploitation of this vulnerability by blocking the local system instead of the remote system and disconnecting remote desktop sessions instead of simply locking them.