CPR-Zero: CVE-2018-8793

Information

File: cssp.c
Function: cssp_read_tsrequest()

The variable “length” is initialized inside the function “ber_in_header()”, and can reach a size of up to 0xFFFF.
Later on, the “out_uint8p(token, s->p, length)” macro calls “memcpy()” according to “length” without checking the capacity of “token”.

Code Snippet:

// negoToken [1]
if (token)
{
	if (!ber_in_header(s, &tagval, &length)
		|| tagval != (BER_TAG_CTXT_SPECIFIC | BER_TAG_CONSTRUCTED | 1))
		return False;
	if (!ber_in_header(s, &tagval, &length)
		|| tagval != (BER_TAG_SEQUENCE | BER_TAG_CONSTRUCTED))
		return False;
	if (!ber_in_header(s, &tagval, &length)
		|| tagval != (BER_TAG_SEQUENCE | BER_TAG_CONSTRUCTED))
		return False;
	if (!ber_in_header(s, &tagval, &length)
		|| tagval != (BER_TAG_CTXT_SPECIFIC | BER_TAG_CONSTRUCTED | 0))
		return False;

	if (!ber_in_header(s, &tagval, &length) || tagval != BER_TAG_OCTET_STRING)
		return False;

	token->end = token->p = token->data;
	out_uint8p(token, s->p, length);
	s_mark_end(token);
}

References:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8793

Share this: