Headline
CVE-2023-40181: Integer-Underflow leading to Out-Of-Bound Read in zgfx_decompress_segment
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Integer-Underflow leading to Out-Of-Bound Read in the zgfx_decompress_segment function. In the context of CopyMemory, it’s possible to read data beyond the transmitted packet range and likely cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.
Affected versions
<= 2.10.0, <= 3.0.0-beta2
Patched versions
2.11.0, 3.0.0-beta3
Summary
Integer-Underflow leading to Out-Of-Bound Read in zgfx_decompress_segment
Affected
FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)
Details
[1]
zgfx->pbInputCurrent = pbSegment;
zgfx->pbInputEnd = &pbSegment[cbSegment - 1];
/* NumberOfBitsToDecode = ((NumberOfBytesToDecode - 1) * 8) - ValueOfLastByte */
zgfx->cBitsRemaining = 8 * (cbSegment - 1) - *zgfx->pbInputEnd;
zgfx->cBitsCurrent = 0;
zgfx->BitsCurrent = 0;
An integer underflow can occur in cBitsRemaining.
[2]
else
{
/* Unencoded */
zgfx_GetBits(zgfx, 15);
count = zgfx->bits;
zgfx->cBitsRemaining -= zgfx->cBitsCurrent;
zgfx->cBitsCurrent = 0;
zgfx->BitsCurrent = 0;
if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount)
return FALSE;
if (count > zgfx->cBitsRemaining / 8)
return FALSE;
CopyMemory(&(zgfx->OutputBuffer[zgfx->OutputCount]), zgfx->pbInputCurrent,
count);
zgfx_history_buffer_ring_write(zgfx, zgfx->pbInputCurrent, count);
zgfx->pbInputCurrent += count;
zgfx->cBitsRemaining -= (8 * count);
zgfx->OutputCount += count;
}
In the context of CopyMemory, it’s possible to read data beyond the transmitted packet range.
PoC
- Initiate a gfx packet transmission with compression (flags == 0x24).
- Transmit the following body data: 0b10001000 0b00111111 0b11111111.
- During the execution of zgfx->cBitsRemaining = 8 * (cbSegment - 1) - *zgfx->pbInputEnd;, the calculation 8 * (1 - 1) - 0xFF results in an integer underflow.
- Token Type is 0b10001, and the distance is 0b00000. the value of count is 0x7e00, leading to an out-of-bounds read.
Impact
Out-Of-Bound Read
Related news
Gentoo Linux Security Advisory 202401-16 - Multiple vulnerabilities have been discovered in FreeRDP, the worst of which could result in code execution. Versions greater than or equal to 2.11.0 are affected.
Ubuntu Security Notice 6401-1 - It was discovered that FreeRDP did not properly manage certain inputs. A malicious server could use this issue to cause FreeRDP clients to crash, resulting in a denial of service, or possibly obtain sensitive information. It was discovered that FreeRDP did not properly manage certain inputs. A malicious server could use this issue to cause FreeRDP clients to crash, resulting in a denial of service, or possibly execute arbitrary code.