Headline
CVE-2017-2837: TALOS-2017-0339 || Cisco Talos Intelligence Group
An exploitable denial of service vulnerability exists within the handling of security data in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.
Summary
An exploitable denial of service vulnerability exists within the handling of security data in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.
Tested Versions
FreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux
Product URLs
http://www.freerdp.com/
CVSSv3 Score
6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE
CWE-190: Integer Overflow or Wraparound
Details
FreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises in the gcc_read_server_security_data function.
BOOL gcc_read_server_security_data(wStream* s, rdpMcs* mcs) {
...
Stream_Read_UINT32(s, settings->ServerRandomLength); /* serverRandomLen */
Stream_Read_UINT32(s, settings->ServerCertificateLength); /* serverCertLen */ [1]
if (Stream_GetRemainingLength(s) < settings->ServerRandomLength + settings->ServerCertificateLength) [2]
return FALSE;
if ((settings->ServerRandomLength <= 0) || (settings->ServerCertificateLength <= 0))
return FALSE;
/* serverRandom */
settings->ServerRandom = (BYTE*) malloc(settings->ServerRandomLength);
if (!settings->ServerRandom)
return FALSE;
Stream_Read(s, settings->ServerRandom, settings->ServerRandomLength); [3]
/* serverCertificate */
settings->ServerCertificate = (BYTE*) malloc(settings->ServerCertificateLength);
if (!settings->ServerCertificate)
return FALSE;
Stream_Read(s, settings->ServerCertificate, settings->ServerCertificateLength);
certificate_free(settings->RdpServerCertificate);
The read_server_security_data function reads in two length values from the packet, [1]. It then does an obscure check to ensure that it is not going over the value of the remaining length. With both of these values being taken from the packet it is simple to overflow this check and continue on with a larger length than what is available. When the overly large length data is attempted to be read from the buffer an out-of-bounds read occurs and an exploitable denail of service condition arises.
Crash Information
Crashed thread log =
: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x00007fff955c6f72 mach_msg_trap + 10
1 libsystem_kernel.dylib 0x00007fff955c63b3 mach_msg + 55
2 com.apple.CoreFoundation 0x00007fff88e001c4 __CFRunLoopServiceMachPort + 212
3 com.apple.CoreFoundation 0x00007fff88dff68c __CFRunLoopRun + 1356
4 com.apple.CoreFoundation 0x00007fff88dfeed8 CFRunLoopRunSpecific + 296
5 com.apple.HIToolbox 0x00007fff8f2b7935 RunCurrentEventLoopInMode + 235
6 com.apple.HIToolbox 0x00007fff8f2b776f ReceiveNextEventCommon + 432
7 com.apple.HIToolbox 0x00007fff8f2b75af _BlockUntilNextEventMatchingListInModeWithFilter + 71
8 com.apple.AppKit 0x00007fff8fe9adf6 _DPSNextEvent + 1067
9 com.apple.AppKit 0x00007fff8fe9a226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] +
454
10 com.apple.AppKit 0x00007fff8fe8ed80 -[NSApplication run] + 682
11 com.apple.AppKit 0x00007fff8fe58368 NSApplicationMain + 1176
12 libdyld.dylib 0x00007fff86cf45ad start + 1
log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_CRASH:signal=11:is_exploitable=
no:instruction_disassembly=ret:instruction_address=0x00007fff955c6f72:access_type=:access_address=0x0000000000000000
Exploit Proof-of-Concept
Run included Python server and connect FreeRDP Client to it.
Timeline
2017-05-24 - Vendor Disclosure
2017-07-24 - Public Release
Discovered by Tyler Bohan of Cisco Talos.