Vulnerabilities in rdesktop allow injected code
Security services provider iDefense has reported three security holes in the open source rdesktop project client that allow attackers to foist malicious code on users, for example via a manipulated Remote Desktop Protocol (RDP) server. The rdesktop client is used on Unix operating systems to access Windows Terminal Servers using RDP.
The function xrealloc()
carries out a signed comparison test to determine whether a requested allocation size is less than 1 and, if necessary, corrects the size to 1. That can make the reserved memory area too small, resulting in a buffer overflow and execution of injected code. The second vulnerability can be exploited when parsing crafted redirect requests, because the rdesktop client uses several unchecked 32-bit integers from the redirect packet for copying operations into fixed-size buffers. Here too any buffer overflows that occur can lead to the execution of injected code. A heap-based buffer overflow can also occur during the processing of manipulated RDP packets. The rdesktop client uses a 16-bit integer from the packet, subtracts 4 from it and uses the result as the size of a buffer for a copying operation, but an integer underflow may result causing an undersize buffer to be allocated.
The flaws affect rdesktop client's current stable version 1.5.0, and possibly its older versions. The developers have however already eliminated the vulnerabilities in their version control system. Users of the rdesktop client should not accept invitations from strangers to an RDP session. If users have to connect to RDP servers that could be open to manipulation, they should as a minimum download the current source code from the CVS and recompile the client.
See also:
- Multiple Vendor rdesktop channel_process() Integer Signedness Vulnerability, security advisory from iDefense
- Multiple Vendor rdesktop process_redirect_pdu() BSS Overflow Vulnerability, vulnerability report from iDefense
- Multiple Vendor rdesktop iso_recv_msg() Integer Underflow Vulnerability, vulnerability report of iDefense
(mba)