CVE-2018-20175
Information- Case #1:
File: mcs.c
Function: mcs_recv_connect_response()
The variable “length” is parsed from the input stream “s” using “ber_parse_header()”, and can reach ANY SIGNED integer value.
Later on, the macro “in_uint8s(s, length)” increments / decrements the stream according to “length”, without checking that “length >= 0” or that the stream contains at least “length” bytes.
Inside “mcs_parse_domain_params(s)”, an access violation will occur when reading from a potentially unmapped memory page.
Code Snippet:
ber_parse_header(s, BER_TAG_INTEGER, &length);
in_uint8s(s, length); /* connect id */
mcs_parse_domain_params(s);
ASAN Output:
Connection established using SSL.
ASAN:SIGSEGV
=================================================================
==27714==ERROR: AddressSanitizer: SEGV on unknown address 0x620fff014113 (pc 0x00000044c73d bp 0x7fff44b611b0 sp 0x7fff44b61180 T0)
#0 0x44c73c in ber_parse_header /home/XXX/rdesktop-1.8.3/asn.c:35
#1 0x44eef9 in mcs_parse_domain_params /home/XXX/rdesktop-1.8.3/mcs.c:49
#2 0x44f52b in mcs_recv_connect_response /home/XXX/rdesktop-1.8.3/mcs.c:111
#3 0x4506cd in mcs_connect_finalize /home/XXX/rdesktop-1.8.3/mcs.c:326
#4 0x455d04 in sec_connect /home/XXX/rdesktop-1.8.3/secure.c:953
#5 0x46311d in rdp_connect /home/XXX/rdesktop-1.8.3/rdp.c:1762
#6 0x40b779 in main /home/XXX/rdesktop-1.8.3/rdesktop.c:1142
#7 0x7f0b43cf282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x407bb8 in _start (/home/XXX/rdesktop-1.8.3/rdesktop+0x407bb8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/XXX/rdesktop-1.8.3/asn.c:35 ber_parse_header
==27714==ABORTING
Information - Case #2:
File: mcs.c
Function: mcs_parse_domain_params()
The variable “length” is parsed from the input stream “s” using “ber_parse_header()”, and can reach ANY SIGNED integer value.
Later on, the macro “in_uint8s(s, length)” decrements the stream according to “length”, without checking that “length >= 0”.
By decrementing “s->p”, the check “s_check(s)” will pass, however the pointer “s->p” would still be invalid.
Later on, an access violation will occur when reading from a potentially unmapped memory page.
Code Snippet:
static RD_BOOL
mcs_parse_domain_params(STREAM s)
{
int length;
ber_parse_header(s, MCS_TAG_DOMAIN_PARAMS, &length);
in_uint8s(s, length);
return s_check(s);
}
ASAN Output:
Connection established using SSL.
ASAN:SIGSEGV
=================================================================
==27756==ERROR: AddressSanitizer: SEGV on unknown address 0x620fffbfffd4 (pc 0x00000044c73d bp 0x7ffcde2b93b0 sp 0x7ffcde2b9380 T0)
#0 0x44c73c in ber_parse_header /home/XXX/rdesktop-1.8.3/asn.c:35
#1 0x44f543 in mcs_recv_connect_response /home/XXX/rdesktop-1.8.3/mcs.c:113
#2 0x4506cd in mcs_connect_finalize /home/XXX/rdesktop-1.8.3/mcs.c:326
#3 0x455d04 in sec_connect /home/XXX/rdesktop-1.8.3/secure.c:953
#4 0x46311d in rdp_connect /home/XXX/rdesktop-1.8.3/rdp.c:1762
#5 0x40b779 in main /home/XXX/rdesktop-1.8.3/rdesktop.c:1142
#6 0x7ff239fd082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x407bb8 in _start (/home/XXX/rdesktop-1.8.3/rdesktop+0x407bb8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/XXX/rdesktop-1.8.3/asn.c:35 ber_parse_header
==27756==ABORTING
Attachments:
CVE-2018-20175_PoC_1.py
CVE-2018-20175_PoC_2.py
private_no_pass.key
selfsigned.crt
References:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20175