FreeRDP Heap Use-After-Free Vulnerability in IRP Thread Function

A heap use-after-free vulnerability has been identified in FreeRDP, a free implementation of the Remote Desktop Protocol. This issue occurs in versions of FreeRDP through 3.20.0, within the 'irp_thread_func' function. The vulnerability arises because the IRP is freed by the 'irp->Complete()' method and then accessed again on the error path, creating a potential for exploitation.

Impact

Exploitation of this vulnerability can lead to a heap buffer overflow on the client side, causing a crash and a denial-of-service condition. Additionally, it may result in heap corruption, with a risk of arbitrary code execution depending on the behavior of the memory allocator and the layout of the heap.

Reproduction

To reproduce this vulnerability, enable serial redirection and connect to an RDP server. Once connected, send an IRP to trigger the 'irp_thread_func' execution. Then, force the RDPDR send operation to fail, such as by closing the RDPDR channel or dropping the response. This failure will cause the IRP to be freed, and the subsequent 'data->irp->Discard()' call will dereference the already freed IRP, triggering the use-after-free condition.

Remediation

Users can upgrade to FreeRDP version 3.20.1, where this vulnerability has been patched.