CPR-Zero: CVE-2018-8798

Information

File: rdpsnd.c
Function: rdpsnd_process_ping()

The variable “tick” is parsed from the input stream “s” without checking that there are enough input bytes in “s” for the read operation.
Later on, those 2 bytes are returned back to the server using a message that is sent in function “rdpsnd_send()”.

Code Snippet:

static void
rdpsnd_process_ping(STREAM in)
{
	uint16 tick;
	STREAM out;

	in_uint16_le(in, tick);

	DEBUG_SOUND(("RDPSND: RDPSND_PING(tick: 0x%04x)\n", (unsigned) tick));

	out = rdpsnd_init_packet(RDPSND_PING | 0x2300, 4);
	out_uint16_le(out, tick);
	out_uint16_le(out, 0);
	s_mark_end(out);
	rdpsnd_send(out);

	DEBUG_SOUND(("RDPSND: -> (tick: 0x%04x)\n", (unsigned) tick));
}

Attachments:
CVE-2018-8798_PoC.py
private_no_pass.key
selfsigned.crt

References:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8798

Share this: