CVE-2018-20181
Information
File: seamless.c
Function: seamless_process()
When reaching this function we can be in an Out-Of-Bound read situation, meaning that “s->end < s->p”.
This can lead to that “pkglen + 1” will be 0, triggering a memory allocation of zero bytes.
Later on, the “STRNCPY(, , pkglen + 1)” macro will use “pkglen + 1 - 1” == “-1”, doing the following set of actions:
- strncpy(dst,src,-1)
- dst[-1] = 0
As “strncpy()” receives a length of type “size_t”, the value “-1” will be interpreted as “4GB”, allowing an unlimited string copy.
Code Snippet:
static void
seamless_process(STREAM s)
{
unsigned int pkglen;
char *buf;
pkglen = s->end - s->p;
/* str_handle_lines requires null terminated strings */
buf = xmalloc(pkglen + 1);
STRNCPY(buf, (char *) s->p, pkglen + 1);
str_handle_lines(buf, &seamless_rest, seamless_line_handler, NULL);
xfree(buf);
}
References:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20181