Clients only, Integer underflow leading to DOS (e.g. abort due to WINPR_ASSERT
with default compilation flags)
FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)
When an insufficient blockLen is provided, and proper length validation is not performed, an Integer Underflow occurs, leading to a Denial of Service (DOS) vulnerability.
subStream =
Stream_StaticInit(&subStreamBuffer, Stream_Pointer(s), blockLen - (6 + extraBlockLen));
if (!Stream_SafeSeek(s, blockLen - (6 + extraBlockLen)))
{
return FALSE;
}
cmdId: RDPGFX_CMDID_EVICTCACHEENTRY (0x0008) flags: 0x1337 pduLength: 10
cmdId: RDPGFX_CMDID_EVICTCACHEENTRY (0x0008) flags: 0x1337 pduLength: 10
cmdId: RDPGFX_CMDID_DELETEENCODINGCONTEXT (0x0003) flags: 0x1337 pduLength: 14
cmdId: RDPGFX_CMDID_WIRETOSURFACE_1 (0x0001) flags: 0x1337 pduLength: 38
[19:37:52:704] [20912:6ba7b000] [ERROR][com.freerdp.gdi] - [gdi_SurfaceCommand]: surfaceId=50168, codec=RDPGFX_CODECID_CAVIDEO [3], contextId=0, format=PIXEL_FORMAT_BGRX32, left=11913, top=13572, right=11927, bottom=13607, width=14, height=35 length=13, data=0x60b00009f019, extra=0x0
[19:37:52:704] [20912:6ba7b000] [ERROR][com.freerdp.codec.rfx] - [rfx_process_message]: blockType 0xCCC3 blockLen 7
[19:37:52:704] [20912:6ba7b000] [ERROR][com.freerdp.codec] - [rfx_process_message]: rfx_process_message context->decodedHeaderBlocks => 00
[19:37:52:704] [20912:6ba7b000] [ERROR][com.freerdp.codec] - [rfx_process_message]: blockLen = 7, extraBlockLen = 2, remain = 5
[19:37:52:704] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_int_assert]: Stream_GetRemainingCapacity(s) >= _offset [/Users/sprout/Desktop/pwn2car/FreeRDP/winpr/include/winpr/stream.h:Stream_Seek:120]
[19:37:52:705] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_log_backtrace_ex]: 0: 0 libwinpr3.3.0.0.dylib 0x000000010631ee24 winpr_execinfo_backtrace + 336
[19:37:52:705] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_log_backtrace_ex]: 1: 1 libwinpr3.3.0.0.dylib 0x000000010631895c winpr_backtrace + 24
[19:37:52:705] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_log_backtrace_ex]: 2: 2 libwinpr3.3.0.0.dylib 0x0000000106318cb8 winpr_log_backtrace_ex + 304
[19:37:52:705] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_log_backtrace_ex]: 3: 3 libfreerdp3.3.0.0.dylib 0x0000000105862738 winpr_int_assert + 168
[19:37:52:705] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_log_backtrace_ex]: 4: 4 libfreerdp3.3.0.0.dylib 0x0000000105865448 Stream_Seek + 144
[19:37:52:705] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_log_backtrace_ex]: 5: 5 libfreerdp3.3.0.0.dylib 0x0000000105864264 rfx_process_message + 4848
[19:37:52:705] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_log_backtrace_ex]: 6: 6 libfreerdp3.3.0.0.dylib 0x00000001059bb65c gdi_SurfaceCommand_RemoteFX + 1756
[19:37:52:705] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_log_backtrace_ex]: 7: 7 libfreerdp3.3.0.0.dylib 0x00000001059b343c gdi_SurfaceCommand + 1364
[19:37:52:705] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_log_backtrace_ex]: 8: 8 libfreerdp-client3.3.0.0.dylib 0x0000000104b96f5c rdpgfx_decode + 652
[19:37:52:705] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_log_backtrace_ex]: 9: 9 libfreerdp-client3.3.0.0.dylib 0x0000000104b827b0 rdpgfx_recv_wire_to_surface_1_pdu + 5360
[19:37:52:705] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_log_backtrace_ex]: 10: 10 libfreerdp-client3.3.0.0.dylib 0x0000000104b8000c rdpgfx_recv_pdu + 1064
[19:37:52:705] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_log_backtrace_ex]: 11: 11 libfreerdp-client3.3.0.0.dylib 0x0000000104b7f140 rdpgfx_on_data_received + 1096
[19:37:52:705] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_log_backtrace_ex]: 12: 12 libfreerdp-client3.3.0.0.dylib 0x0000000104b02634 dvcman_call_on_receive + 360
[19:37:52:705] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_log_backtrace_ex]: 13: 13 libfreerdp-client3.3.0.0.dylib 0x0000000104b024a0 dvcman_receive_channel_data + 1092
[19:37:52:705] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_log_backtrace_ex]: 14: 14 libfreerdp-client3.3.0.0.dylib 0x0000000104afee88 drdynvc_process_data + 716
[19:37:52:705] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_log_backtrace_ex]: 15: 15 libfreerdp-client3.3.0.0.dylib 0x0000000104afd0fc drdynvc_order_recv + 824
[19:37:52:705] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_log_backtrace_ex]: 16: 16 libfreerdp-client3.3.0.0.dylib 0x0000000104afcb40 drdynvc_virtual_channel_event_data_received + 1180
[19:37:52:705] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_log_backtrace_ex]: 17: 17 libfreerdp-client3.3.0.0.dylib 0x0000000104afb828 drdynvc_virtual_channel_open_event_ex + 432
[19:37:52:705] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_log_backtrace_ex]: 18: 18 libfreerdp3.3.0.0.dylib 0x0000000105ab48a0 freerdp_channels_data + 1488
[19:37:52:705] [20912:6ba7b000] [FATAL][com.freerdp.winpr.assert] - [winpr_log_backtrace_ex]: 19: 19 libfreerdp3.3.0.0.dylib 0x0000000105b66154 freerdp_channel_process + 1764
[19:37:52:705] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [fatal_handler]: Caught signal 'Abort trap: 6' [6]
[19:37:52:706] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 0: 0 libwinpr3.3.0.0.dylib 0x000000010631ee24 winpr_execinfo_backtrace + 336
[19:37:52:706] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 1: 1 libwinpr3.3.0.0.dylib 0x000000010631895c winpr_backtrace + 24
[19:37:52:706] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 2: 2 libwinpr3.3.0.0.dylib 0x0000000106318cb8 winpr_log_backtrace_ex + 304
[19:37:52:706] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 3: 3 libwinpr3.3.0.0.dylib 0x0000000106318b7c winpr_log_backtrace + 44
[19:37:52:706] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 4: 4 libfreerdp3.3.0.0.dylib 0x000000010591bf34 fatal_handler + 460
[19:37:52:706] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 5: 5 libsystem_platform.dylib 0x000000018c466a24 _sigtramp + 56
[19:37:52:706] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 6: 6 libsystem_pthread.dylib 0x000000018c437c28 pthread_kill + 288
[19:37:52:706] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 7: 7 libsystem_c.dylib 0x000000018c345ae8 abort + 180
[19:37:52:706] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 8: 8 libfreerdp3.3.0.0.dylib 0x0000000105862740 rfx_message_free + 0
[19:37:52:706] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 9: 9 libfreerdp3.3.0.0.dylib 0x0000000105865448 Stream_Seek + 144
[19:37:52:706] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 10: 10 libfreerdp3.3.0.0.dylib 0x0000000105864264 rfx_process_message + 4848
[19:37:52:706] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 11: 11 libfreerdp3.3.0.0.dylib 0x00000001059bb65c gdi_SurfaceCommand_RemoteFX + 1756
[19:37:52:706] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 12: 12 libfreerdp3.3.0.0.dylib 0x00000001059b343c gdi_SurfaceCommand + 1364
[19:37:52:706] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 13: 13 libfreerdp-client3.3.0.0.dylib 0x0000000104b96f5c rdpgfx_decode + 652
[19:37:52:706] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 14: 14 libfreerdp-client3.3.0.0.dylib 0x0000000104b827b0 rdpgfx_recv_wire_to_surface_1_pdu + 5360
[19:37:52:706] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 15: 15 libfreerdp-client3.3.0.0.dylib 0x0000000104b8000c rdpgfx_recv_pdu + 1064
[19:37:52:706] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 16: 16 libfreerdp-client3.3.0.0.dylib 0x0000000104b7f140 rdpgfx_on_data_received + 1096
[19:37:52:706] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 17: 17 libfreerdp-client3.3.0.0.dylib 0x0000000104b02634 dvcman_call_on_receive + 360
[19:37:52:706] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 18: 18 libfreerdp-client3.3.0.0.dylib 0x0000000104b024a0 dvcman_receive_channel_data + 1092
[19:37:52:706] [20912:6ba7b000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 19: 19 libfreerdp-client3.3.0.0.dylib 0x0000000104afee88 drdynvc_process_data + 716
Summary
Clients only, Integer underflow leading to DOS (e.g. abort due to
WINPR_ASSERT
with default compilation flags)Affected
FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)
Details
When an insufficient blockLen is provided, and proper length validation is not performed, an Integer Underflow occurs, leading to a Denial of Service (DOS) vulnerability.
PoC
FreeRDP/libfreerdp/codec/rfx.c
Lines 1095 to 1168 in 8fc7062
Send rfx packet with
blockType
<= WBT_EXTENSIONblockLen
== 77 - (6 + 2) == 0xFFFFFFFF
cause integer underflowPatch
Impact
DOS
Log