Summary

In Microsoft Remote Desktop, a malicious RDP server could remotely execute code in a client through the RDPDR extension (enabled by default).

This affected many versions of Windows, including Windows 11 and 10.

Details

The vulnerability lied in the smart card extension of the RDPDR virtual channel. A malicious server could ask the client to perform an IOCTL call through a carefully serialized RPC message. During the deserialization process, a misuse of the RPC NDR mashalling engine led to a heap-based buffer overflow.

More details available in a dedicated article over on Thalium’s blog.

I also explained this vulnerability during a conference talk at SSTIC 2022: Fuzzing Microsoft’s RDP Client using Virtual Channels.