A Glimpse Into The Protocol: Fuzz Windows RDP Client For Fun And Profit

The research focused on fuzzing Windows RDP client, specifically targeting virtual channels and uncovering vulnerabilities

Two main fuzzing architectures were identified:

• Loop mode: simpler but less stable
• Proxy mode: more complex but better for batch testing

Key vulnerabilities discovered:

• CVE-2024-21307: A race condition vulnerability in XPS printer handling
• Bug in the RDP-SND channel
• Issues with proper locking mechanisms in printer handling

Technical approaches used:

• WTS API for channel communication
• Virtual machine setup with client/server configuration
• Binary diffing to understand Microsoft patches
• Manual code auditing of release logic

RDP was chosen as target because:

• Widely used protocol with large user base
• Relatively simple client-side implementation
• History of significant vulnerabilities (like BlueKeep)
• Good documentation and previous research available

Environment setup considerations:

• Windows Server with Remote Desktop Services
• Need for both client and server components
• Configuration of various virtual channels
• Importance of proper VM configuration

Research revealed importance of:

• Race condition testing in protocol implementations
• Proper thread synchronization
• Lock handling in I/O operations
• Virtual channel security testing

Future research directions include:

• Expanding to other protocol channels
• Improving fuzzing efficiency
• Developing more sophisticated testing tools
• Further exploration of race conditions