FreeRDP Heap Buffer Overflow Vulnerability in RDPEAR NDR Array Reader

A heap buffer overflow vulnerability has been identified in FreeRDP versions prior to 3.20.1. The issue arises in the RDPEAR component's NDR array reader, which fails to properly validate the on-wire element count. This lack of bounds checking allows for writing beyond the allocated heap buffer, leading to potential heap corruption.

Impact

Exploitation of this vulnerability causes a client-side heap buffer overflow, resulting in a crash and potential heap corruption. Depending on the behavior of the memory allocator and the layout of the surrounding heap, this could lead to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending a crafted packet to a FreeRDP client. This packet must include an oversized array element count that exceeds the allocated buffer size, bypassing the inadequate bounds checks. The FreeRDP client will then experience a heap buffer overflow, which can be exploited to corrupt memory or execute arbitrary code.

Remediation

Users can upgrade to FreeRDP version 3.20.1 or later to address this vulnerability.