One Bug to Rule Them All: Breaking Windows Server 2025 with CVE-2024-38077

For years, the security community has operated under the assumption that 0-click, pre-authentication Remote Code Execution (RCE) vulnerabilities in modern Windows versions are nearly extinct. With the introduction of layered defenses like Control Flow Guard (CFG), Arbitrary Code Guard (ACG), and advanced heap protections, the barrier to entry for exploitation has never been higher. However, recent research presented at Black Hat Asia 2025 by Cyber-Kunlun researchers Zhiniang Peng, Ver, and Zishan Lin has shattered this illusion, demonstrating a stable RCE on Windows Server 2025 using a single memory corruption bug: CVE-2024-38077.

The Forgotten Attack Surface: Remote Desktop Licensing

While much attention has been paid to the core Remote Desktop Protocol (RDP) service (leading to famous bugs like BlueKeep), the Remote Desktop Licensing (RDL) service remained a relatively obscure target. RDL is responsible for managing Client Access Licenses (CALs) and runs as a high-privilege service (lserver.exe).

What makes RDL particularly dangerous is its exposure. Network scans revealed over 117,000 RDL servers exposed to the public internet, with thousands more residing inside internal corporate networks. Because the service relies on RPC (Remote Procedure Call) for management, it presents a massive, unauthenticated attack surface that hasn't been audited as strictly as other Windows components.

Technical Deep Dive: From Heap Overflow to RCE

1. The Vulnerability (CVE-2024-38077)

The vulnerability is a classic heap overflow located in the CDataCoding::DecodeData function, which is called via the RPC method TLS RPC telephone register LKP. When a user chooses to activate a server via telephone, they provide a License Key Pack (LKP). The server attempts to decode this LKP using a BASE-24-like algorithm.

Crucially, the service allocates a fixed-size heap block of 32 bytes to store the decoded result. Because there are no restrictions on the size of the input data, an attacker can provide an oversized LKP string, leading to a controllable heap overflow.

2. Bypassing Authentication

Before triggering the overflow, an attacker must interact with the RPC interface. While many methods are restricted to administrators, the researchers discovered that the RDL service’s challenge-response mechanism is fundamentally flawed. By calling TLS RPC Challenge Server and TLS RPC Response Server Challenge, an attacker can calculate a valid response using an MD5 hash of the server's challenge and a hard-coded GUID. This allows any unauthenticated user to set their ClientFlags to 0xFFFFFFFF, granting them administrative access to all RPC methods.

3. Information Leak & ASLR Bypass

To bypass ASLR, the researchers targeted the Context structure. By using the heap overflow to partially overwrite the ClientName pointer within a Context structure, they could redirect it to point to heap metadata. By then calling TLS RPC retrieve TermServeCert, the server would "helpfully" return the data pointed to by ClientName (the heap address) back to the attacker in a certificate request packet, effectively leaking the heap base.

4. Mastering the Low Fragmentation Heap (LFH)

Windows uses the LFH for small, fixed-size allocations (like our 32-byte target). The LFH includes randomness and a "delay-free" mechanism to prevent deterministic exploitation. The researchers overcame this by:

1. Massive Heap Spraying: Filling LFH bitmaps with Context structures.
2. Hole Punching: Freeing specific blocks to create predictable "holes" where the overflowable buffer would be allocated.
3. Timing: Waiting for the delay-free timer to expire to ensure the heap remained stable during the overflow.

5. CFG Bypass

Even with control of the execution flow, Windows Server 2025’s Control Flow Guard (CFG) prevents jumping to arbitrary addresses. To circumvent this, the team identified a "CFG-safe" gadget in rpcrt4.dll. They found a function that is legitimately whitelisted by CFG but serves as a generic dispatcher. By forging a fake RPC message structure on the heap, they could use this gadget to call LoadLibrary with an arbitrary path, loading a malicious DLL and achieving full code execution.

Mitigation and Defense

The discovery of CVE-2024-38077 serves as a stark reminder that legacy code persists in even the newest operating systems. To defend against this class of attack:

• Immediate Patching: Ensure all Windows Servers are patched against CVE-2024-38077.
• RPC Hardening: Restrict access to RPC ports (TCP 135 and dynamic ports) at the network perimeter. Only allow known administrative IPs to communicate with these services.
• Disable Unnecessary Services: If a server does not require the Remote Desktop Licensing role, the service should be disabled entirely.
• Monitoring: Monitor for unusual lserver.exe crashes or unexpected child processes (like cmd.exe or powershell.exe) spawning from the licensing service.

Conclusion

CVE-2024-38077 demonstrates that "classic" memory corruption bugs are not a thing of the past. By combining deep RPC knowledge with sophisticated heap manipulation and CFG bypass techniques, security researchers proved that even the hardened Windows Server 2025 can be compromised with a single, well-placed bug. As the researchers noted, "Some things never change"—and the need for rigorous auditing of legacy services remains paramount.