CPR-Zero: CVE-2018-8796

Information

File: rdp.c
Function: process_bitmap_updates()

The variable “size” is read from the input stream “s” and can in the range: 0 - 0xFFFF.
Later on, the macro “in_uint8p(s, data, size)” advances the input stream using the unchecked “size” value.
Future read from the input stream will trigger an access violation while reading from a potentially unmapped memory address.

Code Snippet:

if (compress & 0x400)
{
	size = bufsize;
}
else
{
	in_uint8s(s, 2);	/* pad */
	in_uint16_le(s, size);
	in_uint8s(s, 4);	/* line_size, final_size */
}
in_uint8p(s, data, size);

References:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8796

Share this: