The Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, allowing users to remotely control Windows systems with a graphical user interface (GUI) over the network. This protocol is frequently used by IT admins as well as non-technical users for accessing the machine remotely or managing Hyper-V guests VMs from the host machine, via an RDP client. Due to its widespread use, Microsoft's RDP client is shipped with the most of Windows operating systems by default (XP and onwards) and also available in many other platforms including Linux, MacOS, iOS, and Android.
In this talk, we share our adventure in applying coverage-based fuzzing to the RDP client, more specifically, virtual channels in RDP. In the RDP client, virtual channels deal with complex functionalities of RDP such as Sound, Graphics (GDI and RemoteFX), USB, Filesystem, SmartCard, etc., most of which involves parsing and allocation of dynamic data. Based on this fact, we set our main fuzzing targets as virtual channels with a hope of finding numerous crashes.
To achieve this, we first analyze the binary of Microsoft's official RDP client (mstsc.exe) to understand how virtual channels and the RDP server-client operate over the protocol. Then, we tame WinAFL to match the requirements of these model for efficiently fuzz virtual channels backed with code-coverage feedback. As a result, we discovered many exploitable crashes and achieved remote code execution (RCE) in Windows client by exploiting bugs that we found.
In addition to sharing the construction of the fuzzer and demonstrating the exploitation, we will also discuss heap memory management technique, namely, RDP Heap Feng Shui, which is a prerequisite for exploiting heap overflow vulnerability in the RDP client.