A Glimpse Into The Protocol: Fuzz Windows RDP Client For Fun And Profit

Learn how to fuzz Windows RDP client through virtual channels, discover vulnerabilities, and understand protocol implementation. Includes practical demo and vulnerability analysis.

Key takeaways
  • The research focused on fuzzing Windows RDP client, specifically targeting virtual channels and uncovering vulnerabilities

  • Two main fuzzing architectures were identified:

    • Loop mode: simpler but less stable
    • Proxy mode: more complex but better for batch testing
  • Key vulnerabilities discovered:

    • CVE-2024-21307: A race condition vulnerability in XPS printer handling
    • Bug in the RDP-SND channel
    • Issues with proper locking mechanisms in printer handling
  • Technical approaches used:

    • WTS API for channel communication
    • Virtual machine setup with client/server configuration
    • Binary diffing to understand Microsoft patches
    • Manual code auditing of release logic
  • RDP was chosen as target because:

    • Widely used protocol with large user base
    • Relatively simple client-side implementation
    • History of significant vulnerabilities (like BlueKeep)
    • Good documentation and previous research available
  • Environment setup considerations:

    • Windows Server with Remote Desktop Services
    • Need for both client and server components
    • Configuration of various virtual channels
    • Importance of proper VM configuration
  • Research revealed importance of:

    • Race condition testing in protocol implementations
    • Proper thread synchronization
    • Lock handling in I/O operations
    • Virtual channel security testing
  • Future research directions include:

    • Expanding to other protocol channels
    • Improving fuzzing efficiency
    • Developing more sophisticated testing tools
    • Further exploration of race conditions