FreeRDP Heap-Buffer Overflow Vulnerability in Audio Input Processing

A heap-buffer overflow vulnerability has been identified in the FreeRDP client, prior to version 3.20.1. This issue arises when a malicious RDP server sends Audio Input (AUDIN) format lists, causing the client to write beyond allocated memory. The vulnerability is triggered by reusing a format count variable across multiple message PDUs, leading to memory corruption and a crash.

Impact

Exploitation of this vulnerability causes a client-side heap buffer overflow, resulting in a crash and potential memory corruption. This could allow for arbitrary code execution, depending on how the memory allocator handles the corrupted heap.

Reproduction

To reproduce this vulnerability, build and run the FreeRDP client with AddressSanitizer (ASan) enabled. Connect to an RDP server that sends 'MSG_SNDIN_FORMATS' twice on the AUDIN channel. Each message should include a number of formats that exceeds the capacity of the allocated formats array. The client will crash during the second message processing, demonstrating the heap-buffer overflow.

Remediation

Users can upgrade to FreeRDP version 3.20.1 or later to address this vulnerability.