CVE-2021-38665 in Windows — Remote Heap Leak in the RDP client
- MSRC Report: Remote Desktop Protocol Client Information Disclosure Vulnerability
- CVSS 7.4 (Important)
In Microsoft Remote Desktop, a malicious RDP server could remotely leak heap memory from a client through the RDPDR extension (enabled by default).
This affected many versions of Windows, including Windows 11 and 10.
The vulnerability lied in the printer sub-protocol of the RDPDR virtual channel. A malicious server could add printer cache information inside the client’s registry and leak heap through a key name. Then, the server could ask the client to send this information back to effectively leak ASLR.
More details available in a dedicated article over on Thalium’s blog, including a proof of concept.
I also explained this vulnerability during a conference talk at SSTIC 2022: Fuzzing Microsoft’s RDP Client using Virtual Channels.