CVE-2017-2838
An exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.
FreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux
6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE-190: Integer Overflow or Wraparound
FreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises in the license_read_product_info functionality.
BOOL license_read_product_info(wStream* s, LICENSE_PRODUCT_INFO* productInfo)
{
Stream_Read_UINT32(s, productInfo->cbCompanyName); /* cbCompanyName (4 bytes) */
if (Stream_GetRemainingLength(s) < productInfo->cbCompanyName + 4) [1]
return FALSE;
productInfo->pbCompanyName = (BYTE*) malloc(productInfo->cbCompanyName); [2]
if (!productInfo->pbCompanyName)
return FALSE;
Stream_Read(s, productInfo->pbCompanyName, productInfo->cbCompanyName); [3]
The license_read_product_info function reads in an unsigned integer from the attacker controlled packet. The function then adds four to this value for a check against the remaining length, [1]. There are no checks to detect and overflow here so an overly large value is able to be passed in. The malloc at, [2], succeeds on a 64 bit system causing an out of bounds read and denial of service condition to arise at, [3].
Crashed thread log =
: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x00007fff955c6f72 mach_msg_trap + 10
1 libsystem_kernel.dylib 0x00007fff955c63b3 mach_msg + 55
2 com.apple.CoreFoundation 0x00007fff88e001c4 __CFRunLoopServiceMachPort + 212
3 com.apple.CoreFoundation 0x00007fff88dff68c __CFRunLoopRun + 1356
4 com.apple.CoreFoundation 0x00007fff88dfeed8 CFRunLoopRunSpecific + 296
5 com.apple.HIToolbox 0x00007fff8f2b7935 RunCurrentEventLoopInMode + 235
6 com.apple.HIToolbox 0x00007fff8f2b776f ReceiveNextEventCommon + 432
7 com.apple.HIToolbox 0x00007fff8f2b75af _BlockUntilNextEventMatchingListInModeWithFilter + 71
8 com.apple.AppKit 0x00007fff8fe9adf6 _DPSNextEvent + 1067
9 com.apple.AppKit 0x00007fff8fe9a226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] +
454
10 com.apple.AppKit 0x00007fff8fe8ed80 -[NSApplication run] + 682
11 com.apple.AppKit 0x00007fff8fe58368 NSApplicationMain + 1176
12 libdyld.dylib 0x00007fff86cf45ad start + 1
log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_CRASH:signal=11:is_exploitable=
no:instruction_disassembly=ret:instruction_address=0x00007fff955c6f72:access_type=:access_address=0x0000000000000000
Run included Python server and connect FreeRDP Client to it.
2017-05-24 - Vendor Disclosure
2017-07-24 - Public Release
Discovered by Tyler Bohan of Cisco Talos.