Headline
CVE-2023-39352: Invalid offset validation leading to Out Of Bound Write
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an invalid offset validation leading to Out Of Bound Write. This can be triggered when the values rect->left and rect->top are exactly equal to surface->width and surface->height. eg. rect->left == surface->width && rect->top == surface->height. In practice this should cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected versions
<= 2.10.0 , <= 3.0.0-beta2
Patched versions
2.11.0, 3.0.0-beta3
Summary
Invalid offset validation leading to Out Of Bound Write
Affected
FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)
Details
static BOOL intersect_rect(const RECTANGLE_16* rect, const gdiGfxSurface* surface,
RECTANGLE_16* prect)
{
WINPR_ASSERT(rect);
WINPR_ASSERT(surface);
WINPR_ASSERT(prect);
if (rect->left > rect->right)
return FALSE;
if (rect->left > surface->width)
return FALSE;
if (rect->top > rect->bottom)
return FALSE;
if (rect->top > surface->height)
return FALSE;
prect->left = rect->left;
prect->top = rect->top;
prect->right = MIN(rect->right, surface->width);
prect->bottom = MIN(rect->bottom, surface->height);
return TRUE;
}
PoC
- Set rect->left == surface->width
- Set rect->top == surface->height
Patch suggestion
static BOOL intersect_rect(const RECTANGLE_16* rect, const gdiGfxSurface* surface, RECTANGLE_16* prect) { WINPR_ASSERT(rect); WINPR_ASSERT(surface); WINPR_ASSERT(prect);
if (rect\->left \> rect\->right)
return FALSE;
if (rect\->left >= surface\->width) // fixed
return FALSE;
if (rect\->top \> rect\->bottom)
return FALSE;
if (rect\->top >= surface\->height) // fixed
return FALSE;
}
Impact
Out Of Bound Write
Asan
==19680==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6270000f8528 at pc 0x000101e38800 bp 0x00016f6f9970 sp 0x00016f6f9968
WRITE of size 1 at 0x6270000f8528 thread T4
#0 0x101e387fc in FreeRDPWriteColor+0x8c (libfreerdp3.3.0.0.dylib:arm64+0x3047fc) (BuildId: 69fb33da243f3596b8f0e51599a0a7e932000000200000000100000000000d00)
#1 0x101e3db0c in freerdp_image_fill+0xdc (libfreerdp3.3.0.0.dylib:arm64+0x309b0c) (BuildId: 69fb33da243f3596b8f0e51599a0a7e932000000200000000100000000000d00)
#2 0x101be11b4 in gdi_SolidFill+0x69c (libfreerdp3.3.0.0.dylib:arm64+0xad1b4) (BuildId: 69fb33da243f3596b8f0e51599a0a7e932000000200000000100000000000d00)
#3 0x100ebca58 in rdpgfx_recv_solid_fill_pdu+0x9c0 (libfreerdp-client3.3.0.0.dylib:arm64+0xd8a58) (BuildId: dc95e060ce3930f1a79bf054acee77f932000000200000000100000000000d00)
#4 0x100eb7fb8 in rdpgfx_recv_pdu+0x528 (libfreerdp-client3.3.0.0.dylib:arm64+0xd3fb8) (BuildId: dc95e060ce3930f1a79bf054acee77f932000000200000000100000000000d00)
#5 0x100eb70f4 in rdpgfx_on_data_received+0x1b8 (libfreerdp-client3.3.0.0.dylib:arm64+0xd30f4) (BuildId: dc95e060ce3930f1a79bf054acee77f932000000200000000100000000000d00)
#6 0x100e3a96c in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x5696c) (BuildId: dc95e060ce3930f1a79bf054acee77f932000000200000000100000000000d00)
#7 0x100e3a7d8 in dvcman_receive_channel_data+0x440 (libfreerdp-client3.3.0.0.dylib:arm64+0x567d8) (BuildId: dc95e060ce3930f1a79bf054acee77f932000000200000000100000000000d00)
#8 0x100e371c0 in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0x531c0) (BuildId: dc95e060ce3930f1a79bf054acee77f932000000200000000100000000000d00)
#9 0x100e35434 in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0x51434) (BuildId: dc95e060ce3930f1a79bf054acee77f932000000200000000100000000000d00)
#10 0x100e34e78 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0x50e78) (BuildId: dc95e060ce3930f1a79bf054acee77f932000000200000000100000000000d00)
#11 0x100e33b60 in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0x4fb60) (BuildId: dc95e060ce3930f1a79bf054acee77f932000000200000000100000000000d00)
#12 0x101cdeaa8 in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x1aaaa8) (BuildId: 69fb33da243f3596b8f0e51599a0a7e932000000200000000100000000000d00)
#13 0x101d90034 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x25c034) (BuildId: 69fb33da243f3596b8f0e51599a0a7e932000000200000000100000000000d00)
#14 0x101d40408 in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x20c408) (BuildId: 69fb33da243f3596b8f0e51599a0a7e932000000200000000100000000000d00)
#15 0x101d3f1c8 in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x20b1c8) (BuildId: 69fb33da243f3596b8f0e51599a0a7e932000000200000000100000000000d00)
#16 0x101d3aa84 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x206a84) (BuildId: 69fb33da243f3596b8f0e51599a0a7e932000000200000000100000000000d00)
#17 0x101d395ac in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2055ac) (BuildId: 69fb33da243f3596b8f0e51599a0a7e932000000200000000100000000000d00)
#18 0x101d5fd0c in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x22bd0c) (BuildId: 69fb33da243f3596b8f0e51599a0a7e932000000200000000100000000000d00)
#19 0x101d3b38c in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x20738c) (BuildId: 69fb33da243f3596b8f0e51599a0a7e932000000200000000100000000000d00)
#20 0x101cd6264 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x1a2264) (BuildId: 69fb33da243f3596b8f0e51599a0a7e932000000200000000100000000000d00)
#21 0x101cd6934 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x1a2934) (BuildId: 69fb33da243f3596b8f0e51599a0a7e932000000200000000100000000000d00)
#22 0x100a07d94 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13d94) (BuildId: 997a329d148832eb996db8b11452606f32000000200000000100000000000d00)
#23 0x102685630 in thread_launcher thread.c:520
#24 0x1825a7fa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
#25 0x36200001825a2d9c (<unknown module>)Related news
Gentoo Linux Security Advisory 202401-16 - Multiple vulnerabilities have been discovered in FreeRDP, the worst of which could result in code execution. Versions greater than or equal to 2.11.0 are affected.
Ubuntu Security Notice 6522-2 - USN-6522-1 fixed several vulnerabilities in FreeRDP. This update provides the corresponding update for Ubuntu 18.04 LTS. It was discovered that FreeRDP incorrectly handled drive redirection. If a user were tricked into connection to a malicious server, a remote attacker could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly obtain sensitive information. It was discovered that FreeRDP incorrectly handled certain surface updates. A remote attacker could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code.
Ubuntu Security Notice 6522-1 - It was discovered that FreeRDP incorrectly handled drive redirection. If a user were tricked into connection to a malicious server, a remote attacker could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly obtain sensitive information. It was discovered that FreeRDP incorrectly handled certain surface updates. A remote attacker could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code.