CVE-2018-8800
Information
File: xclip.c
Function: ui_clip_handle_data()
This function is being called after “length” was read from the input stream, without a check that the stream contains at least “length” bytes.
The call to “crlf2lf(data, &length)” uses the supplied “length” variable to preforms an (inplace) conversion, effectively creating a “memmove()”-like memory shift.
By controlling the number of ‘\r’ chars in his buffer, the attacker can control the size of the triggered memory shift.
Code Snippet:
/* Called when the RDP server responds with clipboard data (after we've requested it). */
void
ui_clip_handle_data(uint8 * data, uint32 length)
{
RD_BOOL free_data = False;
if (length == 0)
{
xclip_refuse_selection(&selection_request);
has_selection_request = False;
return;
}
if (selection_request.target == format_string_atom || selection_request.target == XA_STRING)
{
/* We're expecting a CF_TEXT response */
uint8 *firstnull;
/* translate linebreaks */
crlf2lf(data, &length);
/* Only send data up to null byte, if any */
firstnull = (uint8 *) strchr((char *) data, '\0');
if (firstnull)
{
length = firstnull - data + 1;
}
}
References:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8800