CVE-2018-20182
Information
File: seamless.c
Function: seamless_process_line()
When reaching this function we can have a large input stream due to prior fragmentation.
When parsing “tok8” there is a parsing loop that reads input bytes into “icon_buf” (of size 1024 bytes) until ‘\0’ is reached.
Using a large “tok8” buffer we can trigger a controllable Buffer Overflow over the global variables.
Code Snippet:
else if (!strcmp("SETICON", tok1))
{
int chunk, width, height, len;
char byte[3];
if (!tok8)
return False;
id = strtoul(tok3, &endptr, 0);
if (*endptr)
return False;
chunk = strtoul(tok4, &endptr, 0);
if (*endptr)
return False;
width = strtoul(tok6, &endptr, 0);
if (*endptr)
return False;
height = strtoul(tok7, &endptr, 0);
if (*endptr)
return False;
byte[2] = '\0';
len = 0;
while (*tok8 != '\0')
{
byte[0] = *tok8;
tok8++;
if (*tok8 == '\0')
return False;
byte[1] = *tok8;
tok8++;
icon_buf[len] = strtol(byte, NULL, 16);
len++;
}
ui_seamless_seticon(id, tok5, width, height, chunk, icon_buf, len);
}
References:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20182