RDPSoft

Remote Desktop and Terminal Server Software

We Make RDS, XenApp & VDI Monitoring/Reporting Easy and Affordable
  • Products / Services
    • Not Sure Where To Start?
    • The Complete Monitoring and Management Bundle For RDS and AVD
    • RDS / AVD Monitoring & Reporting
      • Remote Desktop Commander Suite
    • RDS / AVD Management and RMM Tools
      • Remote Desktop Commander Lite (Free RDS/AVD Management Tool)
      • Remote Assistance RMM Tool + Delegation of Management for RDS/AVD Support Desk
    • RDS Synthetic Login Monitoring / Connection Time / Uptime Monitoring Tools
      • Remote Desktop Canary
    • Consulting and Professional Services
      • RDS Performance Audit
      • Custom Report Design Services
      • Training and Other Professional Services
  • Download
    • Lite: Free RDS/Citrix Session and Farm Manager
    • Lite With Premium Management Features
    • Suite: Installer and Release Notes
    • Remote Desktop Canary – Request a Demo/Trial
    • Request Upgrade To New Version
  • Buy
    • The Complete RDS/AVD Monitoring and Management Bundle Purchase Options
      • Start Monthly Subscription Now
      • Start Annual Subscription Now
    • Remote Desktop Commander Suite Purchase Options
      • Start Monthly Subscription Now
      • Start Annual Subscription Now
      • Buy Perpetual License(s)
    • Premium Management Features Purchase Options
      • Start Monthly Subscription Now
      • Start Annual Subscription Now
    • Remote Desktop Canary Purchase Options
      • Start Monthly Subscription Now
      • Start Annual Subscription Now
    • Buy Incident Based Support Packages
    • Pricing
  • Blog
  • Support
    • Contact Support / Submit Ticket
    • RDPSoft Knowledge Base
  • Contact
  • Partners

Remote Desktop Commander Suite Agent Unquoted Service Path Vulnerability

Background: A German security professional, Florian Hansemann, contacted us recently to let us know that he discovered an unquoted service path vulnerability in an earlier version (v4.7) of our agent service that can be optionally deployed and used with the Remote Desktop Commander Suite. Upon further research, we verified that the installer package for Version 4.8 and earlier of our Remote Desktop Reporter Agent service had a flaw where the service binary path was not bounded with quotes. Versions 4.9 and later of the Remote Desktop Reporter Agent installer do not have this potential vulnerability.

Severity: Based on our internal research, we think the general exploitability of this vulnerability is LOW, IF a customer a.) installed our agent service in the default path of C:\Program Files\RDPSoft\Remote Desktop Reporter Agent and b.) has not weakened the default Windows NTFS permissions in the root of C:\ or under the C:\Program Files folder. By default, standard users do not have permissions to create new files in the root of C: or in the Program Files folder and subfolders. If our agent service was installed to a different folder and/or the default NTFS permissions were weakened, this may make the unquoted service path exploitable.

What is an Unquoted Service Path Vulnerability?

When a service is registered in a Windows operating system, Windows stores the path to the service executable (binary) file on disk, so it knows how to access and start the service on demand, or automatically when the operating system starts. If the path to this binary includes spaces and is not bounded by quotes (e.g. C:\MyService\This Folder\service.exe), this causes ambiguity for the Windows operating system, and using the above example, Windows will look for a file called C:\MyService\This.exe before it looks for a file called C:\MyService\This Folder\service.exe.

If an attacker with standard user rights has the ability to write a malicious executable file in the C:\MyService directory called this.exe, that malicious file could be executed with elevated privileges and could be used by an attacker to elevate their account or create a new account with Administrative privileges, creating a privilege escalation scenario (known as PrivEsc for short).

How Do I Know If I Am Affected By the Vulnerability, and How Do I Mitigate It?

As mentioned above, in order for our Remote Desktop Commander Suite software to be vulnerable to a potential PrivEsc exploit:

1.) You must have the Remote Desktop Reporter Agent Service (Version 4.8 or earlier) installed on one or more of your session hosts. Again, later versions (4.9, 5.0, and 5.1) of the agent service are not affected.
2.) You have installed the agent service to a non-standard installation directory (other than C:\Program Files\RDPSoft\Remote Desktop Reporter Agent) AND/OR weakened the default NTFS permissions of the path where it was installed.

The Remote Desktop Commander Agent Unquoted Service Path Quick Fix tool can scan and fix any systems that have the older agent version installed.

For long time users of our software, we know that while you may routinely update the core components of our Remote Desktop Commander Suite software, you may not update the agent services running on your servers as frequently. We are sympathetic to the typical heavy workload of system administrators, so we have written a rapid assessment and mitigation tool called the Remote Desktop Commander Agent Unquoted Service Path Quick Fix Tool. If you run this tool from the primary VM running our Remote Desktop Commander Suite software, it will:

1.) Connect to the central Remote Desktop Commander Suite SQL database,
2.) Obtain the list of all servers and workstations currently monitored by our software,
3.) Scan that list of servers and workstations automatically across the network to see if any of them have an agent service version with an unquoted service path, and, if so
4.) Automatically fix the vulnerability by bounding the service executable path in quotes via remote registry access, and then,
5.) Stop and restart our agent service on each host.

The entire process should only take a few minutes, and it provides an output log of what actions it took (if any on each system). The best part of this utility is that it does not require any of your systems to be taken offline or rebooted while it runs the assessment and makes any required fixes. While we have tested this utility in our numerous lab and production environments without issue, we still recommend that you run it during a maintenance window or off-peak time, especially if you also utilize the Remote Desktop Reporter In-Session Agent helper process to do screenshot recording.

Also, if you are an MSP or hoster that has several tenant sites running instances of our software, please remember to run this Quick Fix Tool on each instance separately.

Download the Unquoted Service Path Quick Fix Tool Here. (101.72 KB)

When running it, please make sure you are logged with an account that has admin rights on all of the systems currently monitored by our software, and an account that also has rights to log in and access the Remote Desktop Commander SQL database. In most cases, this will be the account you used to install our software initially.

ALTERNATIVE FIX – UPGRADE THE AGENT TO v5.1: As an alternative to running this tool, you can simply make sure your software is running the latest version of the Remote Desktop Commander Suite (Version 5.1) – if not, please request an upgrade here – and then take the latest Remote Desktop Reporter Agent Installer package from the C:\Program Files (x86)\RDPSoft\Remote Desktop Commander\AgentInstaller directory and use it to upgrade your agent to the latest version on your monitored systems. The act of upgrading our agent service to the latest version will also mitigate this vulnerability. After upgrading the core Remote Desktop Commander components and Remote Desktop Reporter Agent to Version 5.1, please run the Polling Rate & Agent Tuning Wizard found in the Remote Desktop Commander Configuration Tool to choose a polling rate that is appropriate for your size of environment – in general, the more servers you have, the less frequently you should poll each one.

Remember to run the Polling Rate & Agent Tuning Wizard if you choose to upgrade the agents to Version 5.1, in order to set a polling rate that is compatible with the size of your environment and workload of your session hosts.

We’re Here If You Need Us

If you have any questions about how to use the above utility or whether or not your deployment of our software may be affected, please reach out to us by starting a new support ticket here, and we’ll be happy to assist you.

  • Email
  • Google+
  • LinkedIn
  • Twitter
  • YouTube

Not Sure Where To Start?

In just a few moments, you can find the right fit of solutions and even services for your needs.

> Get Going Now.

Help Documents

Remote Desktop Commander
Help and Users Guide
Release Notes (ver 6.x)

Sign Up for Remote Desktop Tips and RDPSoft Updates

Blog Topic Categories

  • Azure RemoteApp
  • Azure Virtual Desktop
  • citrix edgesight
  • Citrix Edgesight Replacement
  • Citrix Shadowing
  • Cloud RDP Monitoring
  • Performance
  • RDP Disconnects
  • RDP Latency
  • RDP Login Time
  • RDP Login Tracking
  • RDP Logon Failure Tracking
  • RDP Logs
  • RDP Loss Rate
  • RDP Security
  • RDP Transmission Rate
  • RDS Infrastructure
  • RDS License Metering
  • RDS Licensing
  • Remote Desktop Bandwidth
  • Remote Desktop CPU
  • Remote Desktop Management
  • Remote Desktop Memory
  • Remote Desktop Memory Usage
  • Remote Desktop Monitoring
  • Remote Desktop Performance
  • Remote Desktop Protocol
  • Remote Desktop Reporting
  • Remote Desktop Security
  • Remote Desktop Services
  • Remote Desktop Services Free Tools
  • Remote Desktop Services Hotfix
  • Sensitive Data
  • Server 2012 TSAdmin Replacement
  • Shadow User
  • Software Releases
  • SPLA Reporting
  • Synthetic RDP
  • Telecommuting/Teleworking
  • Terminal Server Logging
  • Terminal Server Monitoring
  • Uncategorized
  • User Activity Monitoring
  • User Productivity
  • Windows 2008 Terminal Server
  • Windows Virtual Desktop
  • WVD Login Time
  • XenApp Monitoring
  • XenApp Reporting

Recent Posts

  • Remote Desktop Commander v6.5 Now Available!
  • AVD Monitoring: An Easy Step-By-Step Approach
  • Three Reasons Why You Need to Monitor CAP and RAP Failures On Your Remote Desktop Gateways
  • Remote Desktop Commander v6.0+ Highlights
  • Connection Broker Monitoring

From the RDPSoft Blog

  • Remote Desktop Commander v6.5 Now Available!
  • AVD Monitoring: An Easy Step-By-Step Approach
  • Three Reasons Why You Need to Monitor CAP and RAP Failures On Your Remote Desktop Gateways
  • Remote Desktop Commander v6.0+ Highlights
  • Connection Broker Monitoring
  • Email
  • Google+
  • LinkedIn
  • Twitter
  • YouTube

We Do “Single Pane of Glass” Monitoring and Management for RDS

Top Level Deployment Dashboard

One of the biggest criticisms leveled against Microsoft's Remote Desktop Services as an end user computing (EUC) platform is its complete lack of integrated management and monitoring tools. … Learn more about our centralized RDS monitoring and management >

Reach Out

For fastest response, reach out via our sales and support contact forms.

Sales
US: 1-855-738-8457 x1
Outside the US: 1-702-749-4325 x1

Support
for Evaluators and Priority Support Customers
US: 1-855-738-8457 x2
Outside the US: 1-702-749-4325 x2

Copyright © 2013 - 2020 RDPSoft. All rights reserved. · RDPSoft is the sole authorized publisher and distributor of the following software titles: Remote Desktop Commander, Premium Management Features, Remote Desktop Canary · Sitemap