Information

File: cssp.c
Function: cssp_read_tsrequest()

The variable “length” is initialized inside the function “ber_in_header()”, and can reach a size of up to 0xFFFF.
Later on, the “in_uint8s(s, length)” macro advances the stream’s data pointer according to “length” without checking that the stream contains at least “length” bytes.
In the following lines, more data will be read from the stream “s” triggering an access violation when reading from a potentially unmapped page.

Code Snippet:

// receive the remainings of message
s = tcp_recv(s, length);

// parse the response and into nego token
if (!ber_in_header(s, &tagval, &length) ||
    tagval != (BER_TAG_SEQUENCE | BER_TAG_CONSTRUCTED))
	return False;

// version [0]
if (!ber_in_header(s, &tagval, &length) ||
    tagval != (BER_TAG_CTXT_SPECIFIC | BER_TAG_CONSTRUCTED | 0))
	return False;
in_uint8s(s, length);
...


References:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8792