|
|
|
Credit:
The information has been provided by iDefense Labs Security Advisories.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=698, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=697 and http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=696
|
|
Vulnerable Systems:
* rdesktop version 1.5.0
Multiple Vendor rdesktop channel_process() Integer Signedness Vulnerability
Remote exploitation of an integer signedness vulnerability in rdesktop, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the logged-in user.
The vulnerability exists within the code responsible for reallocating dynamic buffers. The rdesktop xrealloc() function uses a signed comparison to determine if the requested allocation size is less than 1. When this occurs, the function will incorrectly set the allocation size to be 1. This results in an improperly sized heap buffer being allocated, which can later be overflowed.
Analysis:
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the logged in user. In order to exploit this vulnerability, an attacker must persuade a targeted user to connect to a malicious RDP server.
Vendor response:
The rdesktop maintainer has addressed this vulnerability with CVS revision 1.162 of rdesktop.c. For more information, visit the following URL.
http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/rdesktop.c?view=diff&pathrev=HEAD&r1=text&tr1=1.162&r2=text&tr2=1.118&diff_format=h#l1134
CVE Information:
CVE-2008-1803
Multiple Vendor rdesktop process_redirect_pdu() BSS Overflow Vulnerability
Remote exploitation of a BSS overflow vulnerability in rdesktop, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the logged-in user.
The vulnerability exists within the code responsible for reading in an RDP redirect request. This request is used to redirect an RDP connection from one server to another. When parsing the redirect request, the rdesktop client reads several 32-bit integers from the request packet. These integers are then used to control the number of bytes read into statically allocated buffers. This results in several buffers located in the BSS section being overflowed, which can lead to the execution of arbitrary code.
Analysis:
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the logged in user. In order to exploit this vulnerability, an attacker must persuade a targeted user to connect to a malicious RDP server.
Vendor response:
The rdesktop maintainer has addressed this vulnerability with CVS revision 1.102 of rdp.c. For more information, visit the following URL. http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/rdp.c?annotate=1.102&pathrev=HEAD#l1337
CVE Information:
CVE-2008-1802
Multiple Vendor rdesktop iso_recv_msg() Integer Underflow Vulnerability
Remote exploitation of an integer underflow vulnerability in rdesktop, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the logged-in user.
The vulnerability exists within the code responsible for reading in an RDP request. When reading a request, a 16-bit integer value that represents the number of bytes that follow is taken from the packet. This value is then decremented by 4, and used to calculate how manybytes to read into a heap buffer. The subtraction operation can underflow, which will then lead to the heap buffer being overflowed.
Analysis:
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the logged in user. In order to exploit this vulnerability, an attacker must persuade a targeted user to connect to a malicious RDP server.
Vendor response:
The rdesktop maintainer has addressed this vulnerability with CVS revision 1.20 of iso.c. For more information, visit the following URL. http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/iso.c?annotate=1.20&diff_format=h&pathrev=HEAD#l101
CVE Information:
CVE-2008-1801
|
|
|
|