Breaking Out of Windows RemoteApps

Microsoft has included a new feature in Windows Server 2008 to allow sharing individual applications through Terminal Services.  This is not a new concept - Citrix has been offering something similar for a long time.  They also are now offering a Terminal Services Gateway and TS Web Gateway for accessing Terminal Services, and RemoteApps, from the Internet.  What isn't well known, but also isn't new, is the ability to 'break out' of these applications and access other applications and files on the Terminal Server.   It is very easy to break out of GUI apps even for non-technical people.  Below I will highlight a few examples of running other applications from a RemoteApp, and later I will follow with a number of configuration suggestions for securing your server. 

In the screenshots I have changed the title bar red on the remote server to help distinguish what is being served from the remote system.  The Terminal Server in the following examples is named RTFM-SRV.rtfm.lab.

A word about responsible disclosure:  What I am presenting here is not actually a vulnerability - rather it is a 'feature' of RemoteApp.  Further, the idea of breaking out of GUI applications has been around for a long time, and breaking out of UIs for even longer (the technique predates GUIs).  In reality this is about configuring your server properly to restrict access, and server administrators need to know that even though it looks like you are presenting a user an application, you are really presenting them a desktop.

Breaking out of Internet Explorer

Methods of breaking out of Internet Explorer have been around for a long time, and have been abused on kiosks to access  unauthorized resources.  Because of the address bar, this one is a walk in the park.

To break out of Internet Explorer, just type the address of a local resource in the address bar.  For example, you could enter file:///c:/windows/explorer.exe to launch the remote file explorer or file:///c:/windows/system32/cmd.exe to launch a remote command shell.

Breaking out of WordPad

Next we'll try an application with a very limited GUI - WordPad.  Fortunately for the attacker, any application that uses standard Windows file (open, save as) dialogs can be escaped.  To break out of WordPad, go to the File drop down menu and select Open or Save As.

From there, navigate to the executable that you would like to run (for example, c:\windows\explorer.exe), right click the executable, and select open. 

Breaking out of Calc

Finally to add some challenge, we will attempt to launch other applications from the Windows Calculator (calc.exe).  Calc has a very limited GUI with only Edit, View, and Help menus - and not a lot of items in those either.  However, we can (ab)use the Windows online help functionality to run other executables.

By going to the Help drop down menu and selecting Help Topics, Windows Help and support will open.  Click the button at the bottom of the window for "Ask someone or expand your search."  In the "Getting Additional Windows Server Support" screen, click on any of the URLs presented to start Internet Explorer.  Follow the "Breaking out of Internet Explorer" instructions above.

Conclusion

 As you can see from the examples, it is trivial to execute other applications even when presented with a simplified interface.  Any application that uses Windows dialogs or Windows help can easily be used to leapfrog to other applications, and this extends to custom GUIs and controls that may have their own methods of escape.  Application presentation is a convenience feature, not a security feature.  Further hardening of the operating system must be done to prevent a malicious user from abusing their access.  In the next article I will present several methods for improving security in a RemoteApp environment.