mstsc.exe `drivestoredirect:s:*`

[59e5aaf4]

• https://www.cisa.gov/news-events/alerts/2024/10/31/foreign-threat-actor-conducting-large-scale-spearphishing-campaign-rdp-attachments
• https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
  Yes, it's an intended feature. Yet, there's 0 warning whatsoever that when opening a .rdp file from a client, if drivestoredirect:s:* (or C:; instead of *) the remote party can do arbitrary r+w as the calling user on the source host.
  Pretty much like if by SSH'ing you'd give the remote server (let's say, a ctf server with poor hygiene) r+w access to / as your own user.

https://learn.microsoft.com/en-us/azure/virtual-desktop/rdp-properties#drivestoredirect contains a list of documented, expected features, including the dangerous DrivesToRedirect one.

So there's some sort of a security boundary being breached here. If you manage to distribute evil .rdp files pointing to your attacker-controlled server, you get an arbitrary file write privilege as the connecting user, on the remote server. Plant something in an autostart folder (ms: "This access could enable the threat actor to install malware on the target’s local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access trojans (RATs) to maintain access when the RDP session is closed.") and boom, you achieved RCE via arbitrary file write via just receiving an RDP connection by having someone click on a .rdp file you had crafted & sent however ( mail, .docx, web, etc ) to a target.

There are numerous other intended forwards control transfer capability in mstsc, documented in that ms page, but that drive sharing feature is the only one with a backwards ( +w ) accidental side effect.

Now, heh, go figure if that's in scope or not :D Have a nice day, and thanks for all the fish !