Talos Vulnerability Report

TALOS-2017-0340

FreeRDP Rdp Client License Read Product Info Denial of Service Vulnerability

July 24, 2017
CVE Number

CVE-2017-2838

Summary

An exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.

Tested Versions

FreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux

Product URLs

http://www.freerdp.com/

CVSSv3 Score

6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE

CWE-190: Integer Overflow or Wraparound

Details

FreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises in the license_read_product_info functionality.

BOOL license_read_product_info(wStream* s, LICENSE_PRODUCT_INFO* productInfo)
{

    Stream_Read_UINT32(s, productInfo->cbCompanyName); /* cbCompanyName (4 bytes) */

    if (Stream_GetRemainingLength(s) < productInfo->cbCompanyName + 4)  [1]
        return FALSE;

    productInfo->pbCompanyName = (BYTE*) malloc(productInfo->cbCompanyName);  [2]
    if (!productInfo->pbCompanyName)
        return FALSE;
    Stream_Read(s, productInfo->pbCompanyName, productInfo->cbCompanyName);  [3]

The license_read_product_info function reads in an unsigned integer from the attacker controlled packet. The function then adds four to this value for a check against the remaining length, [1]. There are no checks to detect and overflow here so an overly large value is able to be passed in. The malloc at, [2], succeeds on a 64 bit system causing an out of bounds read and denial of service condition to arise at, [3].

Crash Information

 Crashed thread log = 
: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib          0x00007fff955c6f72 mach_msg_trap + 10
1   libsystem_kernel.dylib          0x00007fff955c63b3 mach_msg + 55
2   com.apple.CoreFoundation        0x00007fff88e001c4 __CFRunLoopServiceMachPort + 212
3   com.apple.CoreFoundation        0x00007fff88dff68c __CFRunLoopRun + 1356
4   com.apple.CoreFoundation        0x00007fff88dfeed8 CFRunLoopRunSpecific + 296
5   com.apple.HIToolbox             0x00007fff8f2b7935 RunCurrentEventLoopInMode + 235
6   com.apple.HIToolbox             0x00007fff8f2b776f ReceiveNextEventCommon + 432
7   com.apple.HIToolbox             0x00007fff8f2b75af _BlockUntilNextEventMatchingListInModeWithFilter + 71
8   com.apple.AppKit                0x00007fff8fe9adf6 _DPSNextEvent + 1067
9   com.apple.AppKit                0x00007fff8fe9a226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 
454
10  com.apple.AppKit                0x00007fff8fe8ed80 -[NSApplication run] + 682
11  com.apple.AppKit                0x00007fff8fe58368 NSApplicationMain + 1176
12  libdyld.dylib                   0x00007fff86cf45ad start + 1

log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_CRASH:signal=11:is_exploitable= 
no:instruction_disassembly=ret:instruction_address=0x00007fff955c6f72:access_type=:access_address=0x0000000000000000

Exploit Proof-of-Concept

Run included Python server and connect FreeRDP Client to it.

Timeline

2017-05-24 - Vendor Disclosure
2017-07-24 - Public Release

Credit

Discovered by Tyler Bohan of Cisco Talos.