CVE-2024-30013 - Understanding and Exploiting the Windows MultiPoint Services Remote Code Execution Vulnerability

In June 2024, Microsoft patched an important security bug, tracked as CVE-2024-30013, that lets attackers run code remotely on Windows servers where MultiPoint Services are enabled. In this long-form post, I’ll walk you through what the bug is, how it can be exploited, and what you can do to defend your environment. This guide includes real code examples, step-by-step logic, and points to the main sources for more in-depth details.

What is Windows MultiPoint Services?

First, a quick intro:
Windows MultiPoint Services is a Microsoft technology designed for shared computing environments. Think of schools, labs, or libraries: it allows multiple users to share a single Windows computer, connecting to it through remote stations.

Many organizations use MultiPoint Services because it saves on hardware and energy costs. However, having lots of users connecting to the same computer brings security risks—you need to be extra careful about separation and permissions.

What is CVE-2024-30013?

CVE-2024-30013 is a remote code execution (RCE) vulnerability affecting Windows systems with MultiPoint Services enabled. Microsoft’s official advisory describes it as follows:

> _"An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."_

Here’s Microsoft’s official page:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30013

Windows Server, version 1803, 1903, 1909

The bug was patched in the June 2024 cumulative updates.

How does the vulnerability work?

The vulnerability exists due to how MultiPoint Services handles specially crafted network requests. Microsoft has been shy on the details, but security researchers discovered the issue lies in the service’s handling of session requests. These can be sent over the regular MultiPoint protocol (which uses RDP under the hood).

Basically:
A remote, unauthenticated user can send a crafted request to the MultiPoint Services role and trigger out-of-bounds memory writes, allowing them to execute arbitrary code and take control of the target server.

Real-world Impact

If a school or office uses Windows MultiPoint Services and has it exposed to the network (especially over RDP), an attacker could:

Use the server as a launchpad into the internal network

This is an ideal target for ransomware gangs and APT actors.

Sample Exploit Logic

Disclaimer:
For educational and defensive purposes only.
Do NOT attack systems you do not own!

Researchers have reverse engineered the patch and shared example logic for proof-of-concept exploits. Here’s a simplified breakdown of the exploit steps:

Craft Malicious Session Request:

Build a special RDP session initiation packet with malformed fields that will trigger the buffer overflow or memory corruption bug.

Send Payload:

The packet sent will include shellcode (arbitrary command execution), typically encoded in the session data, causing the server to execute it upon processing the request.

Example Attack Code Snippet (Python)

Below is a conceptual code snippet, greatly simplified, that shows how an attacker might connect to a vulnerable MultiPoint Server and send a bad request with embedded shellcode.

import socket

# Connect to RDP (MultiPoint runs as extension)
TARGET_IP = "192.168.1.10"
TARGET_PORT = 3389

def create_multipoint_bad_packet(shellcode):
    # Simplified packet construction
    # Real exploit would use RDP protocol details and proper shellcode
    bad_packet = b'MPS_BAD_SESSION' + shellcode
    return bad_packet

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
    s.connect((TARGET_IP, TARGET_PORT))
    shellcode = b'\x90' * 100  # NOP sled, placeholder for actual payload
    payload = create_multipoint_bad_packet(shellcode)
    print("[*] Sending malicious MultiPoint session request...")
    s.send(payload)
    # Wait for response or shell

This is a conceptual example only—a real exploit would use correct session initiation, protocol negotiation, and working shellcode for Windows x64 systems.

Patch Immediately:

Install the June 2024 Microsoft security update. Here’s the direct MSRC advisory link.

Restrict Network Access:

Do not expose MultiPoint Services (and RDP in general) to the public internet. Use VPNs or internal networks only.

Monitor Logs:

Look for unusual session requests or failed logins on MultiPoint servers, especially from strange IPs or times.

References

- Microsoft Advisory for CVE-2024-30013
- SecurityWeek write-up (external link)
- Official Patch Notes (Microsoft June 2024 Updates)

Summary

CVE-2024-30013 is a critical vulnerability for any organization with Windows MultiPoint Services enabled. It lets attackers run code remotely without credentials, making it a tempting target.
Patch now, restrict access, and keep an eye on your event logs to protect your school, office, or lab environment.

If you use MultiPoint Services, do not delay in applying the security fix, and always follow best practices for network security!

Timeline

Published on: 07/09/2024 17:15:15 UTC
Last modified on: 09/19/2024 17:36:21 UTC