This is just a short blog post to celebrate the comeback of a well known Remote Desktop management software, RDCMan.
An information disclosure vulnerability exists in the Remote Desktop Connection Manager (RDCMan) application when it improperly parses XML input containing a reference to an external entity. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration.
To exploit the vulnerability, an attacker could create an RDG file containing specially crafted XML content and convince an authenticated user to open the file.Microsoft Security Response Center
It never seemed very likely to return as Microsoft also started pushing for the native Remote Desktop Connection application (MSTSC) and the Microsoft Store Universal application. Here’s what they had to say about that.
RDCMan is a client that is widely used to manage multiple remote desktop connections because it’s a convenient option. However, RDCMan has not kept pace with the level of advanced technology that we’re pursuing.
Instead, we have two great supported client options: Remote Desktop Connection and Universal Client for Windows 10. These clients offer increased security, and they are a key part of our engineering roadmap moving forward. In the future, you can expect even more capabilities, such as the ability to better manage multiple connections.Microsoft Docs
But in February of 2021, almost an year after the news of deprecation, Mark Russinovich had something positive to share.
And four months later, we finally got to see an updated version of RDCMan integrated into the Sysinternals tools. The look and feel of the software remains the same. There is no UI overhaul or anything like that. But being part of the Sysinternals lineup should at least make it future proof in terms of getting updates pretty regularly.
So in case your organization stopped using RDCMan and you were not very happy with that decision, it is time to convince them back.