CVE-2018-8798
Information
File: rdpsnd.c
Function: rdpsnd_process_ping()
The variable “tick” is parsed from the input stream “s” without checking that there are enough input bytes in “s” for the read operation.
Later on, those 2 bytes are returned back to the server using a message that is sent in function “rdpsnd_send()”.
Code Snippet:
static void
rdpsnd_process_ping(STREAM in)
{
uint16 tick;
STREAM out;
in_uint16_le(in, tick);
DEBUG_SOUND(("RDPSND: RDPSND_PING(tick: 0x%04x)\n", (unsigned) tick));
out = rdpsnd_init_packet(RDPSND_PING | 0x2300, 4);
out_uint16_le(out, tick);
out_uint16_le(out, 0);
s_mark_end(out);
rdpsnd_send(out);
DEBUG_SOUND(("RDPSND: -> (tick: 0x%04x)\n", (unsigned) tick));
}
Attachments:
CVE-2018-8798_PoC.py
private_no_pass.key
selfsigned.crt
References:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8798