Background: A German security professional, Florian Hansemann, contacted us recently to let us know that he discovered an unquoted service path vulnerability in an earlier version (v4.7) of our agent service that can be optionally deployed and used with the Remote Desktop Commander Suite. Upon further research, we verified that the installer package for Version 4.8 and earlier of our Remote Desktop Reporter Agent service had a flaw where the service binary path was not bounded with quotes. Versions 4.9 and later of the Remote Desktop Reporter Agent installer do not have this potential vulnerability.
Severity: Based on our internal research, we think the general exploitability of this vulnerability is LOW, IF a customer a.) installed our agent service in the default path of C:\Program Files\RDPSoft\Remote Desktop Reporter Agent and b.) has not weakened the default Windows NTFS permissions in the root of C:\ or under the C:\Program Files folder. By default, standard users do not have permissions to create new files in the root of C: or in the Program Files folder and subfolders. If our agent service was installed to a different folder and/or the default NTFS permissions were weakened, this may make the unquoted service path exploitable.
What is an Unquoted Service Path Vulnerability?
When a service is registered in a Windows operating system, Windows stores the path to the service executable (binary) file on disk, so it knows how to access and start the service on demand, or automatically when the operating system starts. If the path to this binary includes spaces and is not bounded by quotes (e.g. C:\MyService\This Folder\service.exe), this causes ambiguity for the Windows operating system, and using the above example, Windows will look for a file called C:\MyService\This.exe before it looks for a file called C:\MyService\This Folder\service.exe.
If an attacker with standard user rights has the ability to write a malicious executable file in the C:\MyService directory called this.exe, that malicious file could be executed with elevated privileges and could be used by an attacker to elevate their account or create a new account with Administrative privileges, creating a privilege escalation scenario (known as PrivEsc for short).
How Do I Know If I Am Affected By the Vulnerability, and How Do I Mitigate It?
As mentioned above, in order for our Remote Desktop Commander Suite software to be vulnerable to a potential PrivEsc exploit:
1.) You must have the Remote Desktop Reporter Agent Service (Version 4.8 or earlier) installed on one or more of your session hosts. Again, later versions (4.9, 5.0, and 5.1) of the agent service are not affected.
2.) You have installed the agent service to a non-standard installation directory (other than C:\Program Files\RDPSoft\Remote Desktop Reporter Agent) AND/OR weakened the default NTFS permissions of the path where it was installed.
For long time users of our software, we know that while you may routinely update the core components of our Remote Desktop Commander Suite software, you may not update the agent services running on your servers as frequently. We are sympathetic to the typical heavy workload of system administrators, so we have written a rapid assessment and mitigation tool called the Remote Desktop Commander Agent Unquoted Service Path Quick Fix Tool. If you run this tool from the primary VM running our Remote Desktop Commander Suite software, it will:
1.) Connect to the central Remote Desktop Commander Suite SQL database,
2.) Obtain the list of all servers and workstations currently monitored by our software,
3.) Scan that list of servers and workstations automatically across the network to see if any of them have an agent service version with an unquoted service path, and, if so
4.) Automatically fix the vulnerability by bounding the service executable path in quotes via remote registry access, and then,
5.) Stop and restart our agent service on each host.
The entire process should only take a few minutes, and it provides an output log of what actions it took (if any on each system). The best part of this utility is that it does not require any of your systems to be taken offline or rebooted while it runs the assessment and makes any required fixes. While we have tested this utility in our numerous lab and production environments without issue, we still recommend that you run it during a maintenance window or off-peak time, especially if you also utilize the Remote Desktop Reporter In-Session Agent helper process to do screenshot recording.
Also, if you are an MSP or hoster that has several tenant sites running instances of our software, please remember to run this Quick Fix Tool on each instance separately.
When running it, please make sure you are logged with an account that has admin rights on all of the systems currently monitored by our software, and an account that also has rights to log in and access the Remote Desktop Commander SQL database. In most cases, this will be the account you used to install our software initially.
ALTERNATIVE FIX – UPGRADE THE AGENT TO v5.1: As an alternative to running this tool, you can simply make sure your software is running the latest version of the Remote Desktop Commander Suite (Version 5.1) – if not, please request an upgrade here – and then take the latest Remote Desktop Reporter Agent Installer package from the C:\Program Files (x86)\RDPSoft\Remote Desktop Commander\AgentInstaller directory and use it to upgrade your agent to the latest version on your monitored systems. The act of upgrading our agent service to the latest version will also mitigate this vulnerability. After upgrading the core Remote Desktop Commander components and Remote Desktop Reporter Agent to Version 5.1, please run the Polling Rate & Agent Tuning Wizard found in the Remote Desktop Commander Configuration Tool to choose a polling rate that is appropriate for your size of environment – in general, the more servers you have, the less frequently you should poll each one.
We’re Here If You Need Us
If you have any questions about how to use the above utility or whether or not your deployment of our software may be affected, please reach out to us by starting a new support ticket here, and we’ll be happy to assist you.