Cato CTRL Threat Brief: CVE-2024-38077 – Windows Remote Desktop Licensing Service RCE Vulnerability (“MadLicense“)  

Executive Summary 

Recently, security researchers  published a proof of concept (PoC) for a critical remote code execution (RCE) vulnerability in Windows Server (CVSS score 9.8), ranging all the way from Windows Server 2000 up to 2025. The vulnerable component is the Remote Desktop Licensing service, often deployed and enabled on Windows Servers using Remote Desktop Services.

The exploit is a 0-click pre-auth exploitation, meaning no user interaction or authentication details are necessary. This is an extremely high-risk exploit, especially for internet-connected servers running the impacted Licensing Service component, which the researchers have determined there are at least 170,000 instances.

The Remote Desktop Licensing (RDL) Service is a crucial component of Windows Server that manages the licensing for Remote Desktop Services (RDS), which allows users to remotely access desktops and applications hosted on a server. The RDL Service ensures that each user or device that connects to a remote desktop session has a valid Remote Desktop Client Access License (RDS CAL).

Cato-deployed intrusion prevention system (IPS) signatures in the Cato SASE Cloud Platform block this attack, protecting all Cato-connected edges – sites, remote users, and cloud resources.

Technical Overview  

This attack involves a sophisticated method to inject a malicious DLL into a victim’s machine by exploiting several critical memory addresses and manipulating Remote Procedure Call (RPC) functions. The key addresses targeted in this attack are: 

• Heap Address Base: Manages and manipulates dynamic memory allocations within the heap memory. 

• NT DLL Base: The base address of ntdll.dll is a vital system library containing essential system functions and kernel-mode routines. 

• PEB Base (Process Environment Block): Provides information about the process’s memory layout and loaded modules. 

• PE Base (Process Environment): The base address of the process’s executable image in memory, used for locating and interacting with the executable’s code. 

• Rpcrt4 Base: The base address of rpcrt4.dll, which supports inter-process communication through RPCs. 

• Kernel Base: The base address of the Windows kernel is critical for performing low-level system operations and accessing system functions. 

Exploiting Memory: Manipulating Base Values Through Intensive Memory Spam 

In this phase, the attack maps the Remote Desktop Service – Remote Desktop Licensing (RDS-RDL, UUID: 83d267954-eeb7-11d1-b94e-00c04fa300d) service from the victim’s machine to the attacker to spam the system’s memory aggressively. The key is to manipulate these critical address bases: 

1. Heap Fragmentation: The attacker starts by spraying the low-fragmentation heap (LFH) by sending 1,000 to 2,000 TLSRpcRegisterLicenseKeyPack requests (opnum 38). LFH helps optimize memory management but is exploited to introduce vulnerabilities in this context. 

2. Creating RPC Connections: Around 3,000 TlsRpcConnection requests (opnum 1) are made to establish RPC connections in memory. These connections are partially released using multiple TLSRpcDisconnect requests (opnum 2), strategically creating memory gaps for exploitation. 

3. Triggering the Exploit: A single TLSRpcGetServerName request (opnum 4) may be made after the TLSRpcTelephoneRegisterLKP request (opnum 49), which triggers a buffer overflow. This overflow allows the attacker to craft a fake object with specific parameters to exploit the memory layout. 

4. Memory Manipulation Loop: The attacker repeatedly sends TLSRpcTelephoneRegisterLKP (opnum 49) requests, manipulating the system’s memory. During this loop, additional requests like TLSRpcRequestTermServCert and TLSRpcRetrieveTermServCert (opnum 34 and 35) are used to manipulate certificate handling within the memory. 

5. Heap Leak Analysis: After each request, the attacker checks the certificate data returned by TLSRpcRetrieveTermServCert. If the expected data (“n\x00c\x00a\x00c\x00n\x00”) is missing, the attacker uses the heap leak information to calculate the necessary memory base addresses for further exploitation. 

DLL Injection via Remote SMB Share: Attack Chain Execution 

In the final phase of the attack, the attacker injects a malicious Dynamic Link Libraries (DLL) file using a remote Service Message Block (SMB) shared folder: 

1. Constructing and Positioning Memory: The attack begins with assembling a fake object using TLSRpcRegisterLicenseKeyPack (opnum 38) to position critical memory locations, such as the heap base and DLL path. 

2. Memory Spraying and Handle Management: Memory is sprayed with LFH chunks, and handles are strategically created and freed to manipulate the memory layout further. 

3. DLL Path Specification: The attacker sends a TLSRpcTelephoneRegisterLKP request (opnum 49), providing the address of the fake object that specifies the path to the malicious DLL located on the SMB share. 

4. Triggering the DLL Injection: The attack chain continues with repeated handle interactions through the TLSRpcKeyPackEnumNext request (opnum 13), which ultimately triggers the DLL injection into the target process. 

5. Verification: The final step involves checking if the malicious DLL has been successfully injected and executed within the target process, confirming the success of the attack. 

Conclusion  

From our data, Cato CTRL has not witnessed any exploitation attempts on Cato customers. But given the very broad scope of impacted Windows Server versions and the relative ease of leveraging the PoC code to create a working exploitation, we expect these attempts to increase over time. Nevertheless, as always it is recommended that all Windows Servers be patched with the latest security updates to stay protected. 

Protections 

Cato-deployed IPS signatures in the Cato SASE Cloud Platform block the attack, protecting all Cato-connected edges – sites, remote users, and cloud resources.