RDP Virtual Channels — Pre-Auth Attack Surface

Last updated: 2026-07-02
Related: Windows RPC, Windows Exploit Research Overview, CVE-2025-21297 (RD Gateway)
Tags: user-mode, rdp

Summary

Windows Remote Desktop Services multiplexes functionality over virtual channels. Several of these channels are reachable before authentication completes, which makes them a prime remote attack surface — the same reason RDP has produced BlueKeep-class bugs. This page maps the channel-processing call chain and the pre-auth channel set, and uses an RDP-server memory-leak bug as a worked example.


NLA and the Negotiation Order

Network Level Authentication (NLA) changes when protocol negotiation happens:

  • NLA off — protocol negotiation occurs before credentials are exchanged, so channel-processing code is reachable by an unauthenticated attacker.
  • NLA on — an encrypted channel is established with credentials first, then negotiation proceeds inside it, shrinking (but not always eliminating) the pre-auth surface.

Practically, a remote memory-corruption/leak bug in channel handling is exploitable when NLA is off, or when weak credentials let an attacker reach the authenticated path.

Virtual-Channel Data Path

WDW_OnDataReceived
  → WDICART_IcaChannelInputEx
    → CRDPWDUMXStack::WDCallback_IcaChannelInput
      → CRDPWDUMXStack::OnVirtualChannelData   // dispatch to per-channel plugin

Channels observed reachable before full authentication include rdpinpt, rdpgrfx, rdpcmd, rdplic, rdpdr, echo, and several telemetry channels — each a candidate parser to audit.


Worked Example — rdplic License PDU Memory Leak

In CUMRDPLicPlugin::HandleClientLicensePdu (the handler for rdplic license PDUs), after signalling an event the function never triggers the event handler that would consume the allocated buffer. Re-sending an identical command overwrites the pointer stored at the memory_60h slot, orphaning the previous allocation — a permanent memory leak until the service restarts. A four-thread PoC keeps connections alive against the server’s disconnect-on-idle timeout and floods the PDU, driving remote memory exhaustion.

Microsoft’s MSRC declined to fix it (a reliability leak, not memory corruption), and it was disclosed publicly. It is a clean illustration of the pre-auth channel surface: the bug sits behind rdplic, reachable with NLA off.


Relevance to Offense

  • Reachability first — enumerate which channels dispatch before auth; those parsers are the remote surface.
  • Bug classes — RDP channel parsers have historically yielded OOB, UAF, and (as here) resource-exhaustion leaks. Contrast the RD Gateway singleton UAF in CVE-2025-21297, a different RDS component reached over the gateway tunnel.

References