CVE-2024-32460: FreeRDP Out-of-Bounds Read Vulnerability in Legacy GDI Drawing Path

FreeRDP is a widely used open-source software that provides a free implementation of the Remote Desktop Protocol (RDP), allowing users to connect to remote desktop systems across platforms and for various use cases. In this post, we will discuss a recently discovered vulnerability (CVE-2024-32460) in FreeRDP affecting versions prior to 3.5. and 2.11.6, when using the /bpp:32 legacy GDI drawing path. We will also provide details on the patch and possible workarounds.

Summary of the Vulnerability

FreeRDP-based clients using the /bpp:32 legacy GDI drawing path with a version of FreeRDP prior to 3.5. or 2.11.6 are vulnerable to an out-of-bounds read, which could result in a denial of service, data leakage, or potentially even remote code execution under certain circumstances.

The Issue

The out-of-bounds read occurs when the bit-per-pixel (BPP) value is set to 32 in the legacy GDI drawing path. This can be triggered by an attacker-controlled RDP server to potentially crash the FreeRDP client or disclose sensitive information from the client's memory.

Affected Versions

FreeRDP versions before 3.5. and 2.11.6.

Patched Versions

The issue has been patched in FreeRDP versions 3.5. and 2.11.6. Users are advised to update their instances to one of these versions to mitigate the risks associated with this vulnerability.

The following code snippet demonstrates the vulnerability in the legacy GDI drawing path

`c
void gdi_BitBlt_Draw(struct _GDI_BITBLT *bitblt)
{
BYTE *src_buffer;
BYTE *dest_buffer;
UINT32 src_x, src_y, dest_x, dest_y;

// The out-of-bounds read occurs here

Timeline

Published on: 04/22/2024 22:15:07 UTC
Last modified on: 06/10/2024 18:15:33 UTC