Headline

CVE-2023-39351: Null Pointer Dereference leading DOS in RemoteFX

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions of FreeRDP are subject to a Null Pointer Dereference leading a crash in the RemoteFX (rfx) handling. Inside the rfx_process_message_tileset function, the program allocates tiles using rfx_allocate_tiles for the number of numTiles. If the initialization process of tiles is not completed for various reasons, tiles will have a NULL pointer. Which may be accessed in further processing and would cause a program crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

1 year ago

CVE

Open in Source

#vulnerability #apache

Affected versions

<= 2.10.0 , <= 3.0.0-beta2

Patched versions

2.11.0, 3.0.0-beta3

Summary

Null Pointer Dereference leading DOS in RemoteFX

Affected

FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)

Details

if (!rfx_allocate_tiles(message, numTiles, FALSE))

return FALSE;

Inside the rfx_process_message_tileset function, it allocates tiles using rfx_allocate_tiles for the number of numTiles.

RFX_MESSAGE* message = &context->currentMessage;

If the initialization process of tiles is not completed for various reasons, tiles will have a NULL pointer.

if (ok)

{

UINT32 nbUpdateRects = 0;

REGION16 clippingRects = { 0 };

const RECTANGLE_16* updateRects = NULL;

const DWORD formatSize = FreeRDPGetBytesPerPixel(context->pixel_format);

const UINT32 dstWidth = dstStride / FreeRDPGetBytesPerPixel(dstFormat);

region16_init(&clippingRects);

WINPR_ASSERT(dstWidth <= UINT16_MAX);

WINPR_ASSERT(dstHeight <= UINT16_MAX);

for (UINT32 i = 0; i < message->numRects; i++)

{

RECTANGLE_16 clippingRect = { 0 };

const RFX_RECT* rect = &(message->rects[i]);

WINPR_ASSERT(left + rect->x <= UINT16_MAX);

WINPR_ASSERT(top + rect->y <= UINT16_MAX);

WINPR_ASSERT(clippingRect.left + rect->width <= UINT16_MAX);

WINPR_ASSERT(clippingRect.top + rect->height <= UINT16_MAX);

clippingRect.left = (UINT16)MIN(left + rect->x, dstWidth);

clippingRect.top = (UINT16)MIN(top + rect->y, dstHeight);

clippingRect.right = (UINT16)MIN(clippingRect.left + rect->width, dstWidth);

clippingRect.bottom = (UINT16)MIN(clippingRect.top + rect->height, dstHeight);

region16_union_rect(&clippingRects, &clippingRects, &clippingRect);

}

for (UINT32 i = 0; i < message->numTiles; i++)

{

RECTANGLE_16 updateRect = { 0 };

const RFX_TILE* tile = rfx_message_get_tile(message, i);

WINPR_ASSERT(left + tile->x <= UINT16_MAX);

WINPR_ASSERT(top + tile->y <= UINT16_MAX);

When processing other messages, context->currentMessage remains intact, so if a regular message is processed, ok becomes true. so in line 1265, will null pointer access.

PoC

Send message WBT_EXTENSION with invalid tile data.
Send other valid message, crashed

Impact

Null Pointer Dereference leading DOS

Log

[19:57:20:97] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [fatal_handler]: Caught signal 'Segmentation fault: 11' [11]
[19:57:20:98] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 0: 0   libwinpr3.3.0.0.dylib               0x000000010646f6e4 winpr_execinfo_backtrace + 336
[19:57:20:98] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 1: 1   libwinpr3.3.0.0.dylib               0x000000010646921c winpr_backtrace + 24
[19:57:20:98] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 2: 2   libwinpr3.3.0.0.dylib               0x0000000106469578 winpr_log_backtrace_ex + 304
[19:57:20:98] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 3: 3   libwinpr3.3.0.0.dylib               0x000000010646943c winpr_log_backtrace + 44
[19:57:20:98] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 4: 4   libfreerdp3.3.0.0.dylib             0x0000000105a6c0c8 fatal_handler + 460
[19:57:20:98] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 5: 5   libsystem_platform.dylib            0x0000000192442a24 _sigtramp + 56
[19:57:20:98] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 6: 6   libfreerdp3.3.0.0.dylib             0x00000001059b7f6c rfx_process_message + 8612
[19:57:20:98] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 7: 7   libfreerdp3.3.0.0.dylib             0x0000000105b0bf0c gdi_SurfaceCommand_RemoteFX + 1756
[19:57:20:98] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 8: 8   libfreerdp3.3.0.0.dylib             0x0000000105b03d0c gdi_SurfaceCommand + 1360
[19:57:20:98] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 9: 9   libfreerdp-client3.3.0.0.dylib      0x0000000104cea11c rdpgfx_decode + 652
[19:57:20:98] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 10: 10  libfreerdp-client3.3.0.0.dylib      0x0000000104cd3b00 rdpgfx_recv_wire_to_surface_1_pdu + 5988
[19:57:20:98] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 11: 11  libfreerdp-client3.3.0.0.dylib      0x0000000104cd10e8 rdpgfx_recv_pdu + 1496
[19:57:20:98] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 12: 12  libfreerdp-client3.3.0.0.dylib      0x0000000104ccffd8 rdpgfx_on_data_received + 1100
[19:57:20:98] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 13: 13  libfreerdp-client3.3.0.0.dylib      0x0000000104c5342c dvcman_call_on_receive + 360
[19:57:20:98] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 14: 14  libfreerdp-client3.3.0.0.dylib      0x0000000104c53298 dvcman_receive_channel_data + 1092
[19:57:20:98] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 15: 15  libfreerdp-client3.3.0.0.dylib      0x0000000104c4fc80 drdynvc_process_data + 716
[19:57:20:98] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 16: 16  libfreerdp-client3.3.0.0.dylib      0x0000000104c4def4 drdynvc_order_recv + 824
[19:57:20:98] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 17: 17  libfreerdp-client3.3.0.0.dylib      0x0000000104c4d938 drdynvc_virtual_channel_event_data_received + 1180
[19:57:20:98] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 18: 18  libfreerdp-client3.3.0.0.dylib      0x0000000104c4c620 drdynvc_virtual_channel_open_event_ex + 432
[19:57:20:98] [29753:6b933000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 19: 19  libfreerdp3.3.0.0.dylib             0x0000000105c03a9c freerdp_channels_data + 1488

Gentoo Linux Security Advisory 202401-16 - Multiple vulnerabilities have been discovered in FreeRDP, the worst of which could result in code execution. Versions greater than or equal to 2.11.0 are affected.

8 months ago

Packet Storm

Open in Source

#vulnerability #web #mac #linux

Ubuntu Security Notice USN-6401-1

Ubuntu Security Notice 6401-1 - It was discovered that FreeRDP did not properly manage certain inputs. A malicious server could use this issue to cause FreeRDP clients to crash, resulting in a denial of service, or possibly obtain sensitive information. It was discovered that FreeRDP did not properly manage certain inputs. A malicious server could use this issue to cause FreeRDP clients to crash, resulting in a denial of service, or possibly execute arbitrary code.

12 months ago

Packet Storm

Open in Source

#vulnerability #windows #ubuntu #dos #perl