back to article Evil pixels: Researcher demos data-theft over screen-share protocols

It's the kind of thinking you expect from someone who lives in a volcano lair: exfiltrating data from remote screen pixel values. The idea comes from Pen Test Partners' Alan Monie, taking a break from sex toy hacks and wondering how to get data over a connection like RDP (remote desktop protocol) when the target had blocked …

  1. Adrian 4 Silver badge

    Bizarre security

    so .. you'#re saying RDP has a feature to block file transfer outwards yet still allows remote execution ?

    Why not just ftp it ?

    1. cybergibbons

      Re: Bizarre security

      Yes - you can type an executable base64 encoded onto the remote host and run it. Without admin privilege, you can then get data back with this method.

    2. Anonymous Coward
      Anonymous Coward

      Re: Bizarre security

      Because you won't be allowing users to ftp out?

  2. David Roberts Silver badge
    Alien

    Outer Limits?

    We have taken control of your sceen.....

    1. TheVogon Silver badge

      Re: Outer Limits?

      "We have taken control of your sceen....."

      All your base64 belong to us!

  3. Michael H.F. Wilkinson Silver badge

    I wonder if filtering the screen data sent (or adding some noise) would scramble the data sufficiently to block this attack.

    1. Anonymous Coward
      Anonymous Coward

      I wonder

      I have to say I'd be pretty suspicious if some noisy background suddenly appeared on my remote desktops ... which I usually keep blank. Maybe some annoying mouse-cursor jitter would be a more believable mechanism (esp. if it only jittered when I wasn't using it...)

      1. Tom Paine Silver badge

        Re: I wonder

        The fine article says the victim doesn't see the data screens, they're only displayed on the attacker's end. I don't understand why not, though. Don't know enough about the plumbing of GUIs (like, anything at all, really) but how can the standard Windows RDP server be tricked into inserting pixels into the bytestream going to the attacker, if they're not in the frame being displayed to the user on the console?

  4. Adam 1 Silver badge

    back in the day

    Clipboard transfers are usually enabled even if file redirection is blocked. I remember using a tool once that base64'd the file and chunked it to the client using the clipboard, effectively doing the ctrl+c, ctrl+v for you, then reconstructing it to a file on the client.

  5. Jason Bloomberg Silver badge

    Prior Art

    Almost 25 years ago the Timex Datalink watch could be programmed by placing it against a monitor and flashing pixels at it. This seems to just be a higher bandwidth version of that.

    The problem appears to be in getting the screen flashing code on to the target. One could avoid having to do that by using a 'type', 'cat' or some hex dump command and running virtual OCR software at the receiving end. Slower but easier to pull off.

    1. Nick Ryan Silver badge

      Re: Prior Art

      There are various ways of getting something onto a target system. One of the most obvious is to just downloading the file from the Internet - there is often some external connectivity available which can be used. Another option is to use keyboard automation on the client system which just types the program in for the user, relatively simple, if slow, scripting would work.

      All this depends on how locked down the server is - I have come across some that were very proficiently locked down... and others not so of course.

    2. zerojinx

      Re: Prior Art

      https://www.youtube.com/watch?v=p3Pzxmq-JLM !

  6. Pen-y-gors Silver badge

    Cunning

    Some people are too cunning for our own good!

  7. Stoneshop Silver badge
    Devil

    So

    It's not unlike a ZX81 loading a program from tape, taking a video of the screen, then reconstructing the loaded program from the recorded video.

    Just less conspicuous.

    1. Zippy's Sausage Factory

      Re: So

      I don't remember my ZX81 ever doing that.

      Mind you, I don't remember it ever successfully loading a program from tape, either...

      1. Nick Ryan Silver badge

        Re: So

        I'm sure that there's also an opportunity for audio based file transmissions to occur as well. Unlikely to be anywhere near the bandwidth but for old time's sake it could be made to sound like an old Sinclair loading squeal...

      2. cb7

        Re: So

        R Tape loading error

        With a Spectrum +2 with its 128KB of RAM and built in tape deck, that was still the last message you'd want to see after waiting half an hour for Outrun to load.

  8. Alistair Silver badge
    Windows

    I think I get the idea here.

    It still requires injecting the RAT somewhere in the pipe, but would allow folks to pull data that should not otherwise move. The weird screen view would be on the receiving end, who <should> be expecting it. If you see it on your RDP sessions and you aren't expecting it -- you're already too late as your (desktop/laptop/tool of choice) has been shanghaied for quite some time, and the results have likely already flown the coop.

    1. Christian Berger Silver badge

      Re: I think I get the idea here.

      No it doesn't. You can simply open up files in the default editor and read them off the screen again. That's not rocket science.

  9. Christian Berger Silver badge

    Yes, you can leak data via the screen

    Just like you can leak arbitrary data via the printer, keyboard LEDs, network interfaces, sound cards, power consumption or any other kind of output interface. It's what they are meant for. It's what the "output" part of "output interface" stands for.

    1. Adam 1 Silver badge

      Re: Yes, you can leak data via the screen

      Real haxors would send files down one byte at a time by toggling the caps lock, scroll lock and num lock modifiers

      1. Zippy's Sausage Factory
        Happy

        Re: Yes, you can leak data via the screen

        Real haxors would send files down one byte at a time by toggling the caps lock, scroll lock and num lock modifiers

        Your sense of evil is delightful. Have an upvote.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019