I Found Memory Leak Vulnerability

[tonix0114]

freerdp 2.0.0- rc3 has a memory leak vulnerability that can read the client's memory.
This vulnerability occurs in channels / drdynvc / client / drdynvc_main.c.
Please email me if you need more details.
tonix0114@gmail.com

[akallabeth]

@tonix0114 mail sent

[tonix0114]

I will send you vulnerability information tomorrow. 2018년 9월 19일 (수) 오후 7:12, akallabeth <notifications@github.com>님이 작성:

…

@tonix0114 <https://github.com/tonix0114> mail sent — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#4866 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AVBSTXdRPDEazB1ESdkqBNuwlskascGeks5uchh6gaJpZM4Wva_8> .

[tonix0114]

tomorrow 2018년 9월 19일 (수) 오후 8:40, 심기용 <tonix0114@gmail.com>님이 작성:

…

I will send you vulnerability information tomorrow. 2018년 9월 19일 (수) 오후 7:12, akallabeth ***@***.***>님이 작성: > @tonix0114 <https://github.com/tonix0114> mail sent > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <#4866 (comment)>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/AVBSTXdRPDEazB1ESdkqBNuwlskascGeks5uchh6gaJpZM4Wva_8> > . >

[tonix0114]

Vulnerability Code : channels/drdynvc/client/drdynvc_main.c#858

static UINT drdynvc_process_capability_request(drdynvcPlugin* drdynvc, int Sp,
        int cbChId, wStream* s)
{
	UINT status;

	if (!drdynvc)
		return CHANNEL_RC_BAD_INIT_HANDLE;

	WLog_Print(drdynvc->log, WLOG_TRACE, "capability_request Sp=%d cbChId=%d", Sp, cbChId);
	Stream_Seek(s, 1); /* pad */
	Stream_Read_UINT16(s, drdynvc->version);

	/* RDP8 servers offer version 3, though Microsoft forgot to document it
	 * in their early documents.  It behaves the same as version 2.
	 */
	if ((drdynvc->version == 2) || (drdynvc->version == 3))
	{
		Stream_Read_UINT16(s, drdynvc->PriorityCharge0);
		Stream_Read_UINT16(s, drdynvc->PriorityCharge1);
		Stream_Read_UINT16(s, drdynvc->PriorityCharge2);
		Stream_Read_UINT16(s, drdynvc->PriorityCharge3);
	}

	status = drdynvc_send_capability_response(drdynvc);
	drdynvc->state = DRDYNVC_STATE_READY;
	return status;
}

Stream_Read_UINT16(s, drdynvc->version); Reads a wStream without performing a length value check.

Send To Server Code : channels/drdynvc/client/drdynvc_main.c#839

static UINT drdynvc_send_capability_response(drdynvcPlugin* drdynvc)
{
	UINT status;
	wStream* s;

	if (!drdynvc)
		return CHANNEL_RC_BAD_CHANNEL_HANDLE;

	WLog_Print(drdynvc->log, WLOG_TRACE, "capability_response");
	s = Stream_New(NULL, 4);

	if (!s)
	{
		WLog_Print(drdynvc->log, WLOG_ERROR, "Stream_Ndrdynvc_write_variable_uintew failed!");
		return CHANNEL_RC_NO_MEMORY;
	}

	Stream_Write_UINT16(s,
	                    0x0050); /* Cmd+Sp+cbChId+Pad. Note: MSTSC sends 0x005c */
	Stream_Write_UINT16(s, drdynvc->version);
	status = drdynvc_send(drdynvc, s);

	if (status != CHANNEL_RC_OK)
	{
		WLog_Print(drdynvc->log, WLOG_ERROR, "VirtualChannelWriteEx failed with %s [%08"PRIX32"]",
		           WTSErrorToString(status), status);
	}

	return status;
}

As a result, there is a two-byte outbound reading vulnerability that causes a client memory leak.

Other code like this prevents this vulnerability.

channels/cliprdr/client/cliprdr_main.c#227

	if (Stream_GetRemainingLength(s) < 4)
		return ERROR_INVALID_DATA;

	Stream_Read_UINT16(s, cCapabilitiesSets); /* cCapabilitiesSets (2 bytes) */
	Stream_Seek_UINT16(s); /* pad1 (2 bytes) */

Vulnerability Limits

When running xfreerdp on the client, you must enable the virtual channel through the / echo option.

[akallabeth]

@tonix0114 Thank you for this. Hope the referenced fix eliminates this entirely for this channel.

[akallabeth]

Fixed with #4871