Fuzzing and Exploiting Virtual Channels in Microsoft Remote Desktop Protocol for Fun and Profit

Presented at Black Hat Europe 2019, Dec. 4, 2019, 4:50 p.m. (50 minutes)

The Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, allowing users to remotely control Windows systems with a graphical user interface (GUI) over the network. This protocol is frequently used by IT admins as well as non-technical users for accessing the machine remotely or managing Hyper-V guests VMs from the host machine, via an RDP client. Due to its widespread use, Microsoft's RDP client is shipped with the most of Windows operating systems by default (XP and onwards) and also available in many other platforms including Linux, MacOS, iOS, and Android.

In this talk, we share our adventure in applying coverage-based fuzzing to the RDP client, more specifically, virtual channels in RDP. In the RDP client, virtual channels deal with complex functionalities of RDP such as Sound, Graphics (GDI and RemoteFX), USB, Filesystem, SmartCard, etc., most of which involves parsing and allocation of dynamic data. Based on this fact, we set our main fuzzing targets as virtual channels with a hope of finding numerous crashes.

To achieve this, we first analyze the binary of Microsoft's official RDP client (mstsc.exe) to understand how virtual channels and the RDP server-client operate over the protocol. Then, we tame WinAFL to match the requirements of these model for efficiently fuzz virtual channels backed with code-coverage feedback. As a result, we discovered many exploitable crashes and achieved remote code execution (RCE) in Windows client by exploiting bugs that we found.

In addition to sharing the construction of the fuzzer and demonstrating the exploitation, we will also discuss heap memory management technique, namely, RDP Heap Feng Shui, which is a prerequisite for exploiting heap overflow vulnerability in the RDP client.


  • Seungjoo Kim - Professor, Korea University
    Seungjoo (Gabriel) Kim is a professor of Graduate School of Information Security in Korea University from 2011 and his research areas focus on SDL, security engineering, cryptography and blockchain. For the past seven years, he was an associate professor of Sungkyunkwan University and has five years of back ground of team leader of Cryptographic Technology Team and also IT Security Evaluation Team of KISA(Korea Internet & Security Agency). In addition to being a professor, he is positioning a director of CHAOS(Center for High-Assurance Operating Systems), a head of SANE(Security Analysis aNd Evaluation) Lab, an adviser of hacking club 'CyKor (DEFCON CTF 2015 & 2018 winner)', a founder/advisory director of an international security & hacking conference 'SECUINSIDE'. His numerous professional focus on a presidential committee member on the 4th industrial revolution and an advisory committee member of several public and private organizations such as NIS(National Intelligence Service), Ministry of National Defense, Ministry of Justice, Supreme Prosecutors' Office, Korea National Police Agency, Nuclear Safety and Security Commission, etc. He also taught at the Korea Military Academy. He is a corresponding author. Twitter: @skim71 / Homepage: www.KimLab.net
  • Ki Taek Lee - PhD Candidate / Principal Engineer, Korea University / Samsung Research
    Ki Taek Lee works as an offensive security researcher and penetration tester for Samsung Research, the advanced research and development (R&D) hub of Samsung Electronics. Lee is also currently a Ph.D. candidate at Korea University. He has 20 years' experience in areas related to security analysis, evaluation, researching, and testing. He was a co-founder in HARU(Korean white hackers' association), a non-profit organization. He served as an advisor to academia, agencies, and vendor. He is interested in security analysis, IoT security, and offensive security.
  • Yeongjin Jang - Assistant Professor, Oregon State University
    Dr. Yeongjin Jang is an assistant professor of Computer Science and studies Cybersecurity. He hacks CPU, OS, iPhone, IoT devices, and anything that is operated by computers. He is interested in trustworthy computing, vulnerability discovery and analysis, side-channel attack and defense, developing new exploit primitives, mobile security, practical applied cryptography, jailbreaking, and building defense mechanisms. He holds BS degree in Computer Science from KAIST, and MS and PhD degrees in Computer Science from Georgia Institute of Technology.
  • Chun Sung Park - Graduate Student, Korea University
    <p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Chun Sung Park is a graduate student at SANE LAB, Korea University. He also works as a CTO for Diffense, an offensive security research company based in S.Korea. His research focus is on Windows, Linux, Android, and vulnerability.</span></p>


Similar Presentations: