Background: A European security professional, Jose Magalhaes of the NATO Cyber Security Centre, contacted us recently to let us know that he discovered both a SQL injection and weak permissions vulnerability that affect the specialized RDCCrd.exe tool that ships with the Remote Desktop Commander Suite. The RDCCrd.exe tool is a CReate/Update/Delete utility that allows administrators to change things like the servers monitored by our software, scheduled reports, etc programmatically as opposed to using the Remote Desktop Commander Configuration Tool GUI. Upon further research, we verified these vulnerabilities exist in Remote Desktop Commander v6.0 and earlier versions.
Severity: Based on our internal research, we think the general exploitability of these vulnerabilities are LOW for the vast majority of deployments of our software. In most customer deployments, the Remote Desktop Commander Suite components are installed to a Windows Server with access only by systems administrators, not ordinary users.
However, in deployments where the main Remote Desktop Commander Suite application:
- Is installed directly on one or more terminal server session hosts AND,
- Where the administrator has configured our software to use Standard SQL authentication to communicate with its SQL database, as opposed to Windows Integrated Authentication,
a standard, non-admin user could potentially abuse this vulnerability to read, alter, or remove the data our software collects into its database.
Please note that this vulnerability DOES NOT affect RDS servers in your deployment where you have ONLY installed the Remote Desktop Commander Agent, as opposed to the entire Remote Desktop Commander Suite application.
In all deployment scenarios, though, we recommend that our customers upgrade to Version 6.5 of the Remote Desktop Commander Suite, which both fixes the SQL Injection vulnerability and sets default NTFS permissions on the Tools subdirectory that houses the RDCCrd.exe application so that only Administrators can access it.
What is a SQL Injection Vulnerability?
Broadly, SQL Injection is a type of vulnerability where an attacker can place unexpected parameters or specialized syntax into the underlying database query that a program is making to insert, retrieve, update, or delete from its database. When successful, an attacker can read, alter, or remove data from the underlying program’s database.
What is a Weak Permissions Vulnerability?
A weak registry or file system permissions vulnerability allows a standard user to read information and/or execute programs they may not need access to, which in certain cases can lead to additional exploits being leveraged to attack a system.
How Do I Mitigate This Vulnerability?
If you are a current monthly or annual subscription customer to the Remote Desktop Commander Suite, OR you are a perpetual license customer with an active maintenance agreement, request an upgrade to Version 6.5 of the Remote Desktop Commander Suite here:
https://www.rdpsoft.com/upgrade
If you are a perpetual license customer with an expired maintenance agreement, you can change the NTFS permissions on the \Program Files (x86)\RDPSoft\Remote Desktop Commander\Tools subfolder so that only Administrators have access to programs in this directory.
I Have Deployed the Remote Desktop Commander Suite Directly on a Remote Desktop or AVD Session Host Where Standard Users Regularly Connect and Run Programs. How Can I Further Tighten Security On Your Application?
You can take the following additional steps:
1.) Change the NTFS permissions on the following files and folders located under the \Program Files (x86)\RDPSoft\Remote Desktop Commander directory so that only Administrators can read and execute them:
- RDPRDRLic.exe
- RDPReporterClient.exe
- RDPReporterService.exe
- RDPReporterSPLT.exe
- RDRSQLDBCreator.exe
- RDSConfig.exe
- RDSLogViewer.exe
- AgentInstaller folder
- ClientInstaller folder
- ImageRepository folder
- PowerShellScripts folder
- ScheduledReports folder
- Tools folder
2.) Change the NTFS permissions on the following registry key so that only local Administrators can read and modify it and its values:
HKLM\Software\Wow6432Node\RDPReporter
We’re Here If You Need Us
If you have any questions about the above vulnerabilities or whether or not your deployment of our software may be affected, please reach out to us by starting a new support ticket here, and we’ll be happy to assist you.
