Information- Case #1:

File: secure.c
Function: sec_parse_crypt_info()

The variable “ignorelen” is parsed from the input stream “s”, and can reach ANY UNSIGNED integer value.
Later on, the macro “in_uint8s(s, ignorelen)” increments the stream according to “ignorelen”, without checking that the stream contains at least “ignorelen” bytes.
In the following “for” loop iteration, an access violation will occur when reading from a potentially unmapped memory page.

Code Snippet:

for (; certcount > 2; certcount--)
{		/* ignore all the certificates between the root and the signing CA */
	uint32 ignorelen;
	RDSSL_CERT *ignorecert;

	in_uint32_le(s, ignorelen);
	ignorecert = rdssl_cert_read(s->p, ignorelen);
	in_uint8s(s, ignorelen);
	if (ignorecert == NULL)
	{	/* XXX: error out? */
		logger(Protocol, Error,
			   "sec_parse_crypt_info(), got a bad cert: this will probably screw up the rest of the communication");
	}
}

ASAN Output:

Connection established using SSL.
ASAN:SIGSEGV
=================================================================
==27789==ERROR: AddressSanitizer: SEGV on unknown address 0x6210bec0005e (pc 0x0000004547cf bp 0x7ffffcd2e630 sp 0x7ffffcd2e5a0 T0)
    #0 0x4547ce in sec_parse_crypt_info /home/XXX/rdesktop-1.8.3/secure.c:688
    #1 0x454c4c in sec_process_crypt_info /home/XXX/rdesktop-1.8.3/secure.c:760
    #2 0x4550f8 in sec_process_mcs_data /home/XXX/rdesktop-1.8.3/secure.c:818
    #3 0x44f552 in mcs_recv_connect_response /home/XXX/rdesktop-1.8.3/mcs.c:115
    #4 0x4506cd in mcs_connect_finalize /home/XXX/rdesktop-1.8.3/mcs.c:326
    #5 0x455d04 in sec_connect /home/XXX/rdesktop-1.8.3/secure.c:953
    #6 0x46311d in rdp_connect /home/XXX/rdesktop-1.8.3/rdp.c:1762
    #7 0x40b779 in main /home/XXX/rdesktop-1.8.3/rdesktop.c:1142
    #8 0x7fab10e6a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x407bb8 in _start (/home/XXX/rdesktop-1.8.3/rdesktop+0x407bb8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/XXX/rdesktop-1.8.3/secure.c:688 sec_parse_crypt_info
==27789==ABORTING

Information - Case #2:

File: secure.c
Function: sec_recv()

There are multiple cases inside this function when a call to “sec_decrypt(s->p, s->end - s->p)” occurs.
However, due to lack of input sanitation (sending the packet without 8 bytes for the signature, for instance) a memory over-read can cause
the condition “s->p > s->end” to be true. In this case, “s->end - s->p” will be treated as a huge unsigned value, triggering a massive decryption operation.

Code Snippet:

if (fastpath_flags & FASTPATH_OUTPUT_ENCRYPTED)
{
	in_uint8s(s, 8);	/* signature */
	sec_decrypt(s->p, s->end - s->p);
}
...
if (sec_flags & SEC_ENCRYPT)
{
	in_uint8s(s, 8);	/* signature */
	sec_decrypt(s->p, s->end - s->p);
}
...
if (sec_flags & SEC_REDIRECTION_PKT)
{
	uint8 swapbyte;

	in_uint8s(s, 8);	/* signature */
	sec_decrypt(s->p, s->end - s->p);
	...
}

ASAN Output:

Connection established using SSL.
WARNING: Remote desktop does not support colour depth 24; falling back to 16
ASAN:SIGSEGV
=================================================================
==27837==ERROR: AddressSanitizer: SEGV on unknown address 0x621000030000 (pc 0x7f351ab35f3c bp 0x7ffd7fcb4420 sp 0x7ffd7fcb43e0 T0)
    #0 0x7f351ab35f3b in RC4 (/lib/x86_64-linux-gnu/libcrypto.so.1.0.0+0xa9f3b)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 RC4
==27837==ABORTING

Attachments:
CVE-2018-20176_PoC_1.py
CVE-2018-20176_PoC_2.py
private_no_pass.key
selfsigned.crt

References:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20176