CVE-2018-8799
Information
File: orders.c
Function: process_secondary_order()
The variable “length” is parsed from the input stream “s”, and can reach a size of up to 0xFFFF.
Later on, the line “next_order = s->p + (sint16) length + 7;” advances the “next_order” variable according to “length” without checking that the stream contains at least “length” bytes.
In subsequent call to the function (which is called inside a “for” loop), more data will be read from the stream “s” triggering an access violation when reading from a potentially unmapped page.
Code Snippet:
static void
process_secondary_order(STREAM s)
{
/* The length isn't calculated correctly by the server.
* For very compact orders the length becomes negative
* so a signed integer must be used. */
uint16 length;
uint16 flags;
uint8 type;
uint8 *next_order;
in_uint16_le(s, length);
in_uint16_le(s, flags); /* used by bmpcache2 */
in_uint8(s, type);
next_order = s->p + (sint16) length + 7;
ASAN Output:
WARNING: Remote desktop does not support colour depth 24; falling back to 16
NOT IMPLEMENTED: secondary order 26
=================================================================
==18084==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000014015 at pc 0x00000046d089 bp 0x7fff009b52e0 sp 0x7fff009b52d0
READ of size 1 at 0x621000014015 thread T0
#0 0x46d088 in process_orders /home/XXX/rdesktop-1.8.3/orders.c:1322
#1 0x4863b7 in rdp5_process /home/XXX/rdesktop-1.8.3/rdp5.c:85
#2 0x45841e in rdp_recv /home/XXX/rdesktop-1.8.3/rdp.c:120
#3 0x462d9c in rdp_loop /home/XXX/rdesktop-1.8.3/rdp.c:1717
#4 0x462cdf in rdp_main_loop /home/XXX/rdesktop-1.8.3/rdp.c:1697
#5 0x40b88e in main /home/XXX/rdesktop-1.8.3/rdesktop.c:1181
#6 0x7f771772182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x407bb8 in _start (/home/XXX/rdesktop-1.8.3/rdesktop+0x407bb8)
0x621000014015 is located 235 bytes to the left of 4096-byte region [0x621000014100,0x621000015100)
allocated by thread T0 here:
#0 0x7f7719087602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x40c222 in xmalloc /home/XXX/rdesktop-1.8.3/rdesktop.c:1317
#2 0x44bac0 in tcp_connect /home/XXX/rdesktop-1.8.3/tcp.c:518
#3 0x44e5cf in iso_connect /home/XXX/rdesktop-1.8.3/iso.c:227
#4 0x4506a7 in mcs_connect_start /home/XXX/rdesktop-1.8.3/mcs.c:317
#5 0x455cae in sec_connect /home/XXX/rdesktop-1.8.3/secure.c:944
#6 0x46311d in rdp_connect /home/XXX/rdesktop-1.8.3/rdp.c:1762
#7 0x40b779 in main /home/XXX/rdesktop-1.8.3/rdesktop.c:1142
#8 0x7f771772182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/XXX/rdesktop-1.8.3/orders.c:1322 process_orders
Shadow bytes around the buggy address:
0x0c427fffa7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c427fffa800: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffa830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffa840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffa850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==18084==ABORTING
Attachments:
CVE-2018-8799_PoC.py
private_no_pass.key
selfsigned.crt
References:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8799