Bypassing Modern Windows Mitigations with a Single RDL Heap Overflow

TLDR: Researchers at Black Hat 2025 demonstrated a pre-authentication RCE in the Remote Desktop License (RDL) service on Windows Server 2025. By exploiting a heap overflow in the CDataCoding::DecodeData function, they achieved memory leakage and control flow hijacking, effectively bypassing ASLR and Control Flow Guard (CFG). This vulnerability highlights that even with modern exploit mitigations, legacy-style memory corruption remains a critical threat vector for high-privilege services.

Modern Windows security is often framed as a series of insurmountable walls. Between Control Flow Guard (CFG), Address Space Layout Randomization (ASLR), and Control Flow Enforcement Technology (CET), the days of simple stack-based buffer overflows seem long gone. However, the research presented on the Remote Desktop License (RDL) service proves that complexity is the enemy of security. When a service handles complex data structures and relies on legacy code paths, those mitigations can be bypassed with a single, well-placed memory corruption primitive.

The Vulnerability: Heap Overflow in RDL

The RDL service is a core component of the Remote Desktop Services framework, responsible for issuing Client Access Licenses (CALs). Because it is often exposed to the network to facilitate remote management, its attack surface is significant. The researchers identified a heap overflow vulnerability, tracked as CVE-2024-38077, within the CDataCoding::DecodeData function.

Mechanically, the vulnerability stems from how the service handles the decoding of License Key Packs (LKP). The decoding process mirrors Base64 logic, utilizing a fixed-size heap block of 32 bytes to store the results. The critical failure here is the lack of input validation on the data being decoded. If an attacker provides a sufficiently large input, the service writes past the allocated 32-byte buffer, corrupting adjacent heap memory. Because the service manages these allocations using the Low Fragmentation Heap (LFH), an attacker can influence the heap layout to ensure that sensitive structures are placed immediately after the overflow target.

Exploitation Chain: From Leak to Hijack

Exploiting this bug requires a multi-stage approach to overcome modern protections. The first step is an information leak. By carefully crafting the heap layout through heap spraying, the researchers triggered the overflow to partially overwrite the clientName field of a context structure. This allowed them to leak the heap base address, effectively neutralizing ASLR.

Once the heap base is known, the next objective is control flow hijacking. The researchers identified that the TLSRpcKeyPackEnumNext function performs a virtual function call if the contextType member of the context structure is set to 1. By using the initial heap overflow to overwrite this structure with a "fake object," they redirected the virtual function table (vtable) pointer to an attacker-controlled address.

To bypass CFG, which validates the targets of indirect calls, the researchers did not attempt to jump to arbitrary shellcode. Instead, they hijacked the control flow to a legitimate function within the rpcrt4.dll module, specifically NdrServerCall2. This function is on the CFG whitelist. By forging the PRPC_MESSAGE structure, they forced the service to execute a LoadLibrary call, allowing them to load a malicious DLL and achieve full remote code execution.

Practical Implications for Pentesters

For those performing penetration tests or red team engagements, this research serves as a reminder that service-specific RPC interfaces are prime targets. Tools like RpcView are essential for mapping these interfaces. During an engagement, you should focus on identifying RPC methods that lack proper authentication callbacks, as indicated by the Flags field in the interface definition.

If you encounter an RDL service during a scan, do not assume it is hardened simply because it is running on a modern OS. The ability to trigger this exploit pre-authentication means that an unauthenticated attacker can gain SYSTEM-level access to the server. This is a classic example of A06:2021-Vulnerable and Outdated Components, where the underlying logic of a legacy service remains susceptible to decades-old exploitation techniques despite the presence of modern OS-level defenses.

Defensive Considerations

Defending against this class of vulnerability requires a defense-in-depth strategy. While patching is the obvious first step, organizations should restrict access to the RDL service to only those segments that absolutely require it. Implementing network-level segmentation and ensuring that RDL is not directly exposed to the public internet is non-negotiable. Furthermore, monitoring RPC traffic for anomalous patterns—such as unexpected calls to TLSRpcKeyPackEnumNext from unauthorized clients—can provide early warning of exploitation attempts.

Ultimately, the "one bug to rule them all" narrative is a stark reminder that even the most robust security posture can be undermined by a single flaw in service logic. As researchers continue to peel back the layers of Windows internals, the focus must remain on identifying these high-impact primitives before they are weaponized. Keep your eyes on the RPC interfaces, and never underestimate the power of a well-crafted heap spray.