Timeline :

Vulnerability discovered and reported to the vendor by Gal Goldshtein and Viktor Minin of Citadel
Patched by the vendor through MS16-007 the 2016-01-12
Details of the vulnerability provided by Michael Schierl @mihi42 the 2016-01-12

PoC provided by :

Michael Schierl

Reference(s) :

CVE-2016-0019
MS16-007

Affected version(s) :

Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 version 1511 for 32-bit Systems
Windows 10 version 1511 for x64-based Systems

Tested on :

Windows 10 for x64-based Systems with Microsoft Remote Desktop for Mac version 8.0.26

Description :

A security feature bypass vulnerability exists in Windows Remote Desktop Protocol (RDP) that is caused when Windows 10 hosts running RDP services fail to prevent remote logon to accounts that have no passwords set.

Demo :

- On the target Windows 10
Create a local user without password
Grant the created user RDP
- On the client
Add "enablecredsspsupport:i:0" in the ".RDP" file
Connect to the target with the username and without password