Dec 31st, 2020
- The channel "rdpinpt" is used internally by RDP to pass pointers of various input structures to terminpt.sys. It is possible for a client to connect to the channel externally (before authentication) by specifying channel "rdpinpt" in the GCC Conference Create Request. Once connected, the client can then supply pointers directly to the channel, causing the RDP service to attempt a read of provided address. Normally, this would result in a remote Denial-of-Service condition; however, it is possible to trigger the read from the kernel using an IOCTL. Due to the fact the kernel read uses DeviceIoControl with buffered IO, the call will simply return an error code if the address is not readable. Using this, it is possible to not only remotely confirm if an address exists, but also leak partial data from it by telling terminpt to treat it as a mouse or keyboard input packet.
Please, Sign In to add comment