FreeRDP is a widely used open-source implementation of Microsoft's Remote Desktop Protocol (RDP), enabling users to remotely access other devices via RDP. Unfortunately, a critical vulnerability has been discovered affecting FreeRDP-based clients, which can lead to serious security risks.

The vulnerability, identified as CVE-2024-32039, affects versions of FreeRDP prior to 3.5. or 2.11.6. This vulnerability can allow an attacker to cause an integer overflow and out-of-bounds write, potentially leading to remote code execution on the affected system.

This post will provide an in-depth look at this critical vulnerability, including code snippets, links to original references, and exploitation details, as well as recommended mitigations.

Vulnerability Details

The vulnerability exists due to an error in the handling of progressive bitmap updates within the bounds of the update_read_glyph_update() function in FreeRDP. With specifically crafted RDP messages, an attacker can exploit this vulnerability, leading to an integer overflow and out-of-bounds write, which may result in remote code execution on a compromised host.

Here's a walkthrough of the vulnerable code snippet

upd.c
BOOL update_read_glyph_update(wStream* s, GLYPH_UPDATE* glyph)
{
    UINT16 position;
    if (Stream_GetRemainingLength(s) < 8)
    {
        return FALSE;
    }
    Stream_Read_UINT16(s, glyph->cacheVersion);
    Stream_Read_UINT16(s, glyph->cacheSize);
    Stream_Read_UINT16(s, glyph->numberOfEntries);
    Stream_Read_UINT16(s, glyph->sizeOfEntries);
    return TRUE;
}

By crafting the numberOfEntries, an attacker can manipulate the size of the memory allocated for the update structure. This can then be utilized for out-of-bounds write, potentially leading to remote code execution.

Original References

The FreeRDP community has acknowledged this vulnerability, and it has been documented in detail on their GitHub page: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q7cq-3rxc-ggw5

Exploit Details

An attacker may initiate an RDP connection to an affected FreeRDP-based client and send crafted RDP messages, triggering the vulnerability. While no specific exploitation details have been made public at this time, it's essential for users to take preventive measures to mitigate the risk associated with this flaw.

Mitigation

To protect affected systems from CVE-2024-32039, it is highly recommended to update FreeRDP to version 3.5. or 2.11.6, which contain the patch for this vulnerability.

Alternatively, for those unable to update immediately, a workaround involves avoiding the use of /gfx options within the FreeRDP command line. These options are enabled by default, but they can be deactivated by specifying /bpp:32 or /rfx instead.

For example

xfreerdp /v:target_host /u:username /p:password /bpp:32

In conclusion, CVE-2024-32039 is a critical vulnerability within the FreeRDP implementation of the Remote Desktop Protocol that can allow potential attackers to cause integer overflow and out-of-bounds writes. By updating FreeRDP to the latest version or applying the suggested workaround, users can take essential steps to protect their systems from possible exploits.

Timeline

Published on: 04/22/2024 21:15:49 UTC
Last modified on: 06/10/2024 18:15:32 UTC