Fuzzing and Exploiting Virtual Channels in Microsoft Remote Desktop Protocol for Fun and Profit

Conference:  BlackHat EU 2019



The presentation discusses the use of virtual channels in RDP clients to automatically find vulnerabilities and measure code coverage.
  • Virtual channels in RDP clients can be used to find vulnerabilities and measure code coverage
  • Apoprotein can be applied on Windows to enable coverage-guided forging
  • Win a pair can be used to measure code coverage using dynamic instrumentation with Dynamo Rio
  • The architecture of RDP clients can be changed to use virtual channels for coverage-guided forging
  • The RDP snd channel can be targeted for audio output to send data from the server to the client
  • Rogue data can be used to create a state fire for forging
The presentation gives an example of how rogue data was used to create a state fire for forging by hooking into the virtual channels incoming section and praying the music. This allowed for the identification of unique crashes in the RDP snd channel after four hours of runtime.


The Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, allowing users to remotely control Windows systems with a graphical user interface (GUI) over the network. This protocol is frequently used by IT admins as well as non-technical users for accessing the machine remotely or managing Hyper-V guests VMs from the host machine, via an RDP client. Due to its widespread use, Microsoft's RDP client is shipped with the most of Windows operating systems by default (XP and onwards) and also available in many other platforms including Linux, MacOS, iOS, and Android. In this talk, we share our adventure in applying coverage-based fuzzing to the RDP client, more specifically, virtual channels in RDP. In the RDP client, virtual channels deal with complex functionalities of RDP such as Sound, Graphics (GDI and RemoteFX), USB, Filesystem, SmartCard, etc., most of which involves parsing and allocation of dynamic data. Based on this fact, we set our main fuzzing targets as virtual channels with a hope of finding numerous crashes. To achieve this, we first analyze the binary of Microsoft's official RDP client (mstsc.exe) to understand how virtual channels and the RDP server-client operate over the protocol. Then, we tame WinAFL to match the requirements of these model for efficiently fuzz virtual channels backed with code-coverage feedback. As a result, we discovered many exploitable crashes and achieved remote code execution (RCE) in Windows client by exploiting bugs that we found. In addition to sharing the construction of the fuzzer and demonstrating the exploitation, we will also discuss heap memory management technique, namely, RDP Heap Feng Shui, which is a prerequisite for exploiting heap overflow vulnerability in the RDP client.