Summary

In Microsoft Remote Desktop, a malicious RDP server could remotely leak heap memory from a client through the RDPDR extension (enabled by default).

This affected many versions of Windows, including Windows 11 and 10.

Details

The vulnerability lied in the printer sub-protocol of the RDPDR virtual channel. A malicious server could add printer cache information inside the client’s registry and leak heap through a key name. Then, the server could ask the client to send this information back to effectively leak ASLR.

More details available in a dedicated article over on Thalium’s blog, including a proof of concept.

I also explained this vulnerability during a conference talk at SSTIC 2022: Fuzzing Microsoft’s RDP Client using Virtual Channels.