Zero-day for any Windows: How to Exploit Microsoft’s Remote Desktop Protocol RDP using DLL side loading. No patch available

Experts in IT security services from Cymulate, the only cyber attack simulation platform, recently announced the discovery of a method that would allow threat actors to execute malicious code through Microsoft’s Remote Desktop Protocol (RDP) using a technique called DLL Side-Loading. The executed code could seamlessly bypass the security controls of the target system.

Cymulate is a SaaS-based attack and violation simulation platform that helps simplify various security processes; the company’s experts collaborate with hundreds of business customers to protect their IT infrastructure.  

To run the RDP protocol, the MSTSC is used in Windows, allowing users to take control of a remote computer or virtual machine over a network connection. MSTSC relies on a DLL (mstscax.dll) as one of its resources. However, Cymulate has identified that the Microsoft Terminal Services Client (MSTSC) performs the delayed loading of mstscax.dll with behavior that can cause hackers to bypass security controls.

According to the IT security services experts, the executable loads “mstscax.dll” without integrity checks to validate the library code. A threat actor can use this blind spot and replace mstscax.dll in the folder C:-Windows-System32 for which administrator privileges are required. This condition allows the hacker to execute malicious code in the context of digitally signed Mstsc.exe and therefore bypass security controls like AppLocker.

Although specialists notified Microsoft of this flaw, the company has refused to release a fix, arguing that System32 requires administrator privileges, greatly reducing the possibility of exploiting this condition.

This flaw was first reported in 2017 and has been exploited by multiple hacking groups, IT security services experts say. Among the hacker groups that have deployed this attack are APT3, which carried out its attacks via Chrome, and APT 32, which executes loads signed by legitimate companies such as Symantec and McAfee.

The International Institute for Cyber Security (IICS) believes that technology companies should pay more attention to these threats, in addition to releasing relevant updates. While exploiting these failures is complex, it is also 100% feasible in real-world scenarios, so this is a security risk that should not go unnoticed by anyone, whether developers or customers.