A Glimpse Into The Protocol: Fuzz Windows RDP Client For Fun And Profit

-

Learn how to fuzz Windows RDP client through virtual channels, discover vulnerabilities, and understand protocol implementation. Includes practical demo and vulnerability analysis.

Key takeaways
  • The research focused on fuzzing Windows RDP client, specifically targeting virtual channels and uncovering vulnerabilities

  • Two main fuzzing architectures were identified:

    • Loop mode: simpler but less stable
    • Proxy mode: more complex but better for batch testing
  • Key vulnerabilities discovered:

    • CVE-2024-21307: A race condition vulnerability in XPS printer handling
    • Bug in the RDP-SND channel
    • Issues with proper locking mechanisms in printer handling
  • Technical approaches used:

    • WTS API for channel communication
    • Virtual machine setup with client/server configuration
    • Binary diffing to understand Microsoft patches
    • Manual code auditing of release logic
  • RDP was chosen as target because:

    • Widely used protocol with large user base
    • Relatively simple client-side implementation
    • History of significant vulnerabilities (like BlueKeep)
    • Good documentation and previous research available
  • Environment setup considerations:

    • Windows Server with Remote Desktop Services
    • Need for both client and server components
    • Configuration of various virtual channels
    • Importance of proper VM configuration
  • Research revealed importance of:

    • Race condition testing in protocol implementations
    • Proper thread synchronization
    • Lock handling in I/O operations
    • Virtual channel security testing
  • Future research directions include:

    • Expanding to other protocol channels
    • Improving fuzzing efficiency
    • Developing more sophisticated testing tools
    • Further exploration of race conditions