CVE-2018-20176
Information- Case #1:
File: secure.c
Function: sec_parse_crypt_info()
The variable “ignorelen” is parsed from the input stream “s”, and can reach ANY UNSIGNED integer value.
Later on, the macro “in_uint8s(s, ignorelen)” increments the stream according to “ignorelen”, without checking that the stream contains at least “ignorelen” bytes.
In the following “for” loop iteration, an access violation will occur when reading from a potentially unmapped memory page.
Code Snippet:
for (; certcount > 2; certcount--)
{ /* ignore all the certificates between the root and the signing CA */
uint32 ignorelen;
RDSSL_CERT *ignorecert;
in_uint32_le(s, ignorelen);
ignorecert = rdssl_cert_read(s->p, ignorelen);
in_uint8s(s, ignorelen);
if (ignorecert == NULL)
{ /* XXX: error out? */
logger(Protocol, Error,
"sec_parse_crypt_info(), got a bad cert: this will probably screw up the rest of the communication");
}
}
ASAN Output:
Connection established using SSL.
ASAN:SIGSEGV
=================================================================
==27789==ERROR: AddressSanitizer: SEGV on unknown address 0x6210bec0005e (pc 0x0000004547cf bp 0x7ffffcd2e630 sp 0x7ffffcd2e5a0 T0)
#0 0x4547ce in sec_parse_crypt_info /home/XXX/rdesktop-1.8.3/secure.c:688
#1 0x454c4c in sec_process_crypt_info /home/XXX/rdesktop-1.8.3/secure.c:760
#2 0x4550f8 in sec_process_mcs_data /home/XXX/rdesktop-1.8.3/secure.c:818
#3 0x44f552 in mcs_recv_connect_response /home/XXX/rdesktop-1.8.3/mcs.c:115
#4 0x4506cd in mcs_connect_finalize /home/XXX/rdesktop-1.8.3/mcs.c:326
#5 0x455d04 in sec_connect /home/XXX/rdesktop-1.8.3/secure.c:953
#6 0x46311d in rdp_connect /home/XXX/rdesktop-1.8.3/rdp.c:1762
#7 0x40b779 in main /home/XXX/rdesktop-1.8.3/rdesktop.c:1142
#8 0x7fab10e6a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x407bb8 in _start (/home/XXX/rdesktop-1.8.3/rdesktop+0x407bb8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/XXX/rdesktop-1.8.3/secure.c:688 sec_parse_crypt_info
==27789==ABORTING
Information - Case #2:
File: secure.c
Function: sec_recv()
There are multiple cases inside this function when a call to “sec_decrypt(s->p, s->end - s->p)” occurs.
However, due to lack of input sanitation (sending the packet without 8 bytes for the signature, for instance) a memory over-read can cause
the condition “s->p > s->end” to be true. In this case, “s->end - s->p” will be treated as a huge unsigned value, triggering a massive decryption operation.
Code Snippet:
if (fastpath_flags & FASTPATH_OUTPUT_ENCRYPTED)
{
in_uint8s(s, 8); /* signature */
sec_decrypt(s->p, s->end - s->p);
}
...
if (sec_flags & SEC_ENCRYPT)
{
in_uint8s(s, 8); /* signature */
sec_decrypt(s->p, s->end - s->p);
}
...
if (sec_flags & SEC_REDIRECTION_PKT)
{
uint8 swapbyte;
in_uint8s(s, 8); /* signature */
sec_decrypt(s->p, s->end - s->p);
...
}
ASAN Output:
Connection established using SSL.
WARNING: Remote desktop does not support colour depth 24; falling back to 16
ASAN:SIGSEGV
=================================================================
==27837==ERROR: AddressSanitizer: SEGV on unknown address 0x621000030000 (pc 0x7f351ab35f3c bp 0x7ffd7fcb4420 sp 0x7ffd7fcb43e0 T0)
#0 0x7f351ab35f3b in RC4 (/lib/x86_64-linux-gnu/libcrypto.so.1.0.0+0xa9f3b)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 RC4
==27837==ABORTING
Attachments:
CVE-2018-20176_PoC_1.py
CVE-2018-20176_PoC_2.py
private_no_pass.key
selfsigned.crt
References:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20176