Information

File: xclip.c
Function: ui_clip_handle_data()

This function is being called after “length” was read from the input stream, without a check that the stream contains at least “length” bytes.
The call to “crlf2lf(data, &length)” uses the supplied “length” variable to preforms an (inplace) conversion, effectively creating a “memmove()”-like memory shift.
By controlling the number of ‘\r’ chars in his buffer, the attacker can control the size of the triggered memory shift.

Code Snippet:

/* Called when the RDP server responds with clipboard data (after we've requested it). */
void
ui_clip_handle_data(uint8 * data, uint32 length)
{
	RD_BOOL free_data = False;

	if (length == 0)
	{
		xclip_refuse_selection(&selection_request);
		has_selection_request = False;
		return;
	}

	if (selection_request.target == format_string_atom || selection_request.target == XA_STRING)
	{
		/* We're expecting a CF_TEXT response */
		uint8 *firstnull;

		/* translate linebreaks */
		crlf2lf(data, &length);

		/* Only send data up to null byte, if any */
		firstnull = (uint8 *) strchr((char *) data, '\0');
		if (firstnull)
		{
			length = firstnull - data + 1;
		}
	}


References:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8800