Holding The Stick at Both Ends: Fuzzing RDP Client and Server

PRESENTATION SLIDES (PDF)

Traditional fuzzing has been around for years now and it has proven itself a great way of finding a lot of bugs. Fuzzers came a long way over the past few years, but the majority of them still work in the traditional fashion.

This talk describes our journey to make a traditional coverage-guided fuzzer (WinAFL) fuzz a complex network protocol – RDP. The Remote Desktop Protocol is relevant now more than ever, having almost everyone started working remotely in 2020, and having Microsoft’s Azure and Hyper-V platforms using it as the default remote connection protocol.

We utilized WinAFL, DynamoRIO, and a set of our own enhancements to hunt for bugs in both the Windows RDP Client and Server. We did that targeting a handful of channels that RDP encapsulates, fuzzing dozens of message types. Fuzzing the RDP protocol from both ends is a new concept and it hasn’t been done before. We built upon the extremely limited history of fuzzing RDP and created a comprehensive fuzzer that’s able to fuzz most of the RDP channels and extensions. By doing this we were able to find many new bugs (the exact numbers will be determined after finishing the responsible disclosure process).

We will share our experience developing this ability and analyzing the results and the new bugs found.

MAIN CONFERENCE
Location: Track 1 Date: August 27, 2021 Time: 4:00 pm - 5:00 pm Shaked Reiner Or Ben-Porath