CPR-Zero: CVE-2018-8791

Information

File: rdpdr.c
Function: rdpdr_process()

The variable “g_client_id” is parsed from the input stream “s” without checking that there are enough input bytes in “s” for the read operation.
Later on, those 4 bytes are returned back to the server using a message that is sent in function “rdpdr_send_client_announce_reply()”.

Code Snippet:

case PAKID_CORE_SERVER_ANNOUNCE:
	/* DR_CORE_SERVER_ANNOUNCE_REQ */
	in_uint8s(s, 2);	/* skip versionMajor */
	in_uint16_le(s, vmin);	/* VersionMinor */
	in_uint32_le(s, g_client_id);	/* ClientID */

	/* The RDP client is responsibility to provide a random client id
	   if server version is < 12 */
	if (vmin < 0x000c)
		g_client_id = 0x815ed39d;	/* IP address (use 127.0.0.1) 0x815ed39d */
	g_epoch++;
	...
	rdpdr_send_client_announce_reply();

Attachments:
CVE-2018-8791_PoC.py
private_no_pass.key
selfsigned.crt

References:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8791

Share this: