FreeRDP URBDRC Client Heap Buffer Overflow Vulnerability

A heap buffer overflow vulnerability has been identified in the FreeRDP URBDRC client, in versions prior to 3.20.1. The issue arises because the client fails to perform proper bounds checking on server-supplied MSUSB_INTERFACE_DESCRIPTOR values. These unchecked values are used as indices in a libusb configuration setup function, leading to an out-of-bounds read. This vulnerability can be exploited by a malicious RDP server that sends a crafted TS_URB_SELECT_CONFIGURATION message, causing a client-side crash and potential heap corruption with a risk of code execution, depending on the allocator's behavior and the surrounding heap layout.

Impact

Exploitation of this vulnerability causes a crash and a denial-of-service condition on the affected client. However, it also introduces the risk of heap corruption, which could be exploited for arbitrary code execution, depending on how the memory allocator handles the corrupted heap.

Reproduction

To reproduce this vulnerability, enable USB redirection in a FreeRDP client version prior to 3.20.1. Connect to a malicious RDP server that sends a crafted TS_URB_SELECT_CONFIGURATION message. Set the NumInterfaces parameter to 1, and provide an interface descriptor that includes an InterfaceNumber or AlternateSetting value larger than the actual counts of the device's interfaces or alternate settings.

Remediation

Users can upgrade to FreeRDP version 3.20.1 or later to address this vulnerability.