Talos Vulnerability Report


FreeRDP Rdp Client License Read Product Info Denial of Service Vulnerability

July 24, 2017
CVE Number



An exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.

Tested Versions

FreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux

Product URLs


CVSSv3 Score

6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H


CWE-190: Integer Overflow or Wraparound


FreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises in the license_read_product_info functionality.

BOOL license_read_product_info(wStream* s, LICENSE_PRODUCT_INFO* productInfo)

    Stream_Read_UINT32(s, productInfo->cbCompanyName); /* cbCompanyName (4 bytes) */

    if (Stream_GetRemainingLength(s) < productInfo->cbCompanyName + 4)  [1]
        return FALSE;

    productInfo->pbCompanyName = (BYTE*) malloc(productInfo->cbCompanyName);  [2]
    if (!productInfo->pbCompanyName)
        return FALSE;
    Stream_Read(s, productInfo->pbCompanyName, productInfo->cbCompanyName);  [3]

The license_read_product_info function reads in an unsigned integer from the attacker controlled packet. The function then adds four to this value for a check against the remaining length, [1]. There are no checks to detect and overflow here so an overly large value is able to be passed in. The malloc at, [2], succeeds on a 64 bit system causing an out of bounds read and denial of service condition to arise at, [3].

Crash Information

 Crashed thread log = 
: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib          0x00007fff955c6f72 mach_msg_trap + 10
1   libsystem_kernel.dylib          0x00007fff955c63b3 mach_msg + 55
2   com.apple.CoreFoundation        0x00007fff88e001c4 __CFRunLoopServiceMachPort + 212
3   com.apple.CoreFoundation        0x00007fff88dff68c __CFRunLoopRun + 1356
4   com.apple.CoreFoundation        0x00007fff88dfeed8 CFRunLoopRunSpecific + 296
5   com.apple.HIToolbox             0x00007fff8f2b7935 RunCurrentEventLoopInMode + 235
6   com.apple.HIToolbox             0x00007fff8f2b776f ReceiveNextEventCommon + 432
7   com.apple.HIToolbox             0x00007fff8f2b75af _BlockUntilNextEventMatchingListInModeWithFilter + 71
8   com.apple.AppKit                0x00007fff8fe9adf6 _DPSNextEvent + 1067
9   com.apple.AppKit                0x00007fff8fe9a226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 
10  com.apple.AppKit                0x00007fff8fe8ed80 -[NSApplication run] + 682
11  com.apple.AppKit                0x00007fff8fe58368 NSApplicationMain + 1176
12  libdyld.dylib                   0x00007fff86cf45ad start + 1

log name is: ./crashlogs/1.crashlog.txt

Exploit Proof-of-Concept

Run included Python server and connect FreeRDP Client to it.


2017-05-24 - Vendor Disclosure
2017-07-24 - Public Release


Discovered by Tyler Bohan of Cisco Talos.