CPR-Zero: CVE-2018-20174

Information

File: xclip.c
Function: ui_clip_handle_data()

This function is being called after “length” was read from the input stream, without a check that the stream contains at least “length” bytes.
When saving the received data to the client’s clipboard, it will also store additional memory data according to the size “length - 1”.
The stored data can be queried by the server using the same “copy & paste” feature, causing a major information disclosure.

/* Called when the RDP server responds with clipboard data (after we've requested it). */
void
ui_clip_handle_data(uint8 * data, uint32 length)
{
	RD_BOOL free_data = False;

	if (length == 0)
	{
		xclip_refuse_selection(&selection_request);
		has_selection_request = False;
		return;
	}

    ...
	
	xclip_provide_selection(&selection_request, selection_request.target, 8, data, length - 1);

References:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20174

Share this: