Fuzzing RDP Client and Server

Explore the intricacies of fuzzing the Remote Desktop Protocol (RDP) in this 47-minute conference talk from the Hack In The Box Security Conference. Dive into the journey of adapting a traditional coverage-guided fuzzer (WinAFL) to test a complex network protocol, focusing on both RDP client and server implementations. Learn about the innovative approach of fuzzing RDP from both ends, a concept not previously explored. Discover how the speakers utilized WinAFL, DynamoRIO, and custom enhancements to target multiple RDP channels and message types, uncovering numerous new bugs. Gain insights into the challenges faced during development, result analysis, and the responsible disclosure process. The talk covers various aspects including the RDP attack surface, coverage-guided fuzzing setup, code patches, grammar enforcement, multi-channel input, and automatic crash analysis. Presented by security researchers Shaked Reiner and Or Ben-Porath from CyberArk, this talk offers valuable knowledge for those interested in vulnerability research, OS security, and advanced fuzzing techniques.

Intro
Agenda
RDP Attack Vector #2
Examples
Attack Surface
Read Surface
Protocol Stack
General Info
Coverage-guided Fuzzing Setup
Fuzzing Options
DR Attach
Background Fuzzing
Statefulness
Code Patches
Grammar Enforcement
Multi-input
Multi-channel Input
Locating Target Functions
Reproduction Issues
Automatic Crash Analysis
AUDIO_PLAYBACK Channel
Crashing Input
Future Work