• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Microsoft Windows RDP Keystroke Injection Vulnerability

Microsoft Windows Remote Desktop Protocol (RDP) version 5.0 introduced a feature which may potentially be abused by remote attackers with the ability to intercept network traffic.

When common commands and input events are sent during a RDP session, a checksum is added to each packet which is derived from the event. In older versions of RDP, the checksum also included a timestamp, which meant that each packet had a different checksum.

Versions 5.0 of Microsoft Windows RDP introduced support for abbreviating packets for common commands and input events. A unique timestamp is not used when the checksum is calculated for version 5.0 RDP packets, making it possible to deduce particular events (such as individual keystrokes) based on the checksum. This issue is also present in RDP 5.1.

Given the ability to observe network traffic and deduce which events are occurring, it is possible for an attacker to inject maliciously crafted packets into a session which may cause certain events to occur.