New Update Guest Accounts Gain Full Access on Chrome RDP

Status
Not open for further replies.

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
Guest Accounts Gain Full Access on Chrome RDP
research.checkpoint.com: Guest Accounts Gain Full Access on Chrome RDP - Check Point Research
March 13, 2018
Researchers: Ofer Caspi, Benjamin Berger

Chrome Remote Desktop is an extension to the Chrome browser that allows users to remotely access another computer through Chrome browser or a Chromebook. It is fully cross-platform, and supports macOS versions from OS X 10.6 (2009) and above, all from the Chrome browser on virtually any device.

However, one of our security analysts recently noticed an unexpected behavior in Google Chrome Remote Desktop Application on macOS. The strange behaviour allows, in some cases, a ‘Guest user’ to login as Guest and yet receive an active session of another user (such as administrator) without entering a password.

Check Point Research reported this bug to Google on 15th February 2018. Google responded that from a CRD (Chrome Remote Desktop) perspective, the login screen is not a security boundary.

As we see it this is a security issue and believe users should be alert to the risk of letting a guest remotely access their machine.

In the case described below we will see how the discovered bug works.

How the ‘Bug’ Works

On macOS it is possible to let other people use your Mac temporarily as guest users without adding them as individual users. Indeed, you can use parental controls to set restrictions so that guests can only access items that you are willing to share with them.

The ‘Guest account’ option though is not enabled by default, and does not need a password to log in to. When someone logs in as a ‘Guest user’, the files created by the ‘Guest’ are stored in a temporary folder, acting similarly to a sandbox, and its content are deleted once the Guest has logged out.

To exploit this bug, once a Guest user connects to a remote desktop machine, the machine should have at least one active user in session (such as someone logged in and locked the screen / screen saver after x time). The RDP will show a login screen of available users as show in the screen below:


Figure 1: The RDP Login screen of available users.

First let’s look at the normal behavior of the RDP.

If we select on the login screen the main account (“victim”) we will be asked for a password, and after successful login we will see the identical screens of both the local chrome RDP extension and the remote machine that we are connecting to:


Figure 2: The screens of both the local chrome RDP extension and the remote machine being connected to.

Now let’s look at the problematic scenario. Note that the RDP should be a reflection of the actual screen on the remote machine.

In the login screen, a user then clicks on the ‘Guest’ icon and, since a guest does not require a password, the system will proceed:


Figure 3: The system proceeds without requiring a password.

What is expected to happen is that the local user that connects remotely to a macOS machine will receive the desktop of a ‘Guest’. But while this is what appears in the remote machine, the local machine (the Chrome extension) receives the desktop of the other active user session, which in this case is an admin on the system, without ever entering the password:


Figure 4: The local machine receives the desktop of the other active user session.
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Thanks for the report. Not clear on one thing. Does this happen on the remotely connected machine as well as on the session admin/starter machine? If it happens only on the session starter account, that seems to me like a small bug. Otherwise, I hope Google get this fixed asap for Chromebook users!
 
  • Like
Reactions: Prorootect
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top