xrdp Command Execution Vulnerability via AlternateShell Parameter

A command execution vulnerability has been identified in xrdp, an open-source RDP server, in versions prior to 0.10.6. The issue arises from unsafe handling of the AlternateShell parameter in xrdp-sesman, which allows an authenticated remote user to execute arbitrary commands on the server. When the AllowAlternateShell setting is enabled by default, xrdp executes client-supplied AlternateShell values through /bin/sh -c during session initialization. This behavior enables the execution of unsanitized, user-controlled input as commands, creating a remote command execution vulnerability over RDP within the authenticated user's security context, and bypassing normal session initialization processes that limit execution to interactive desktop environments.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, executed in the context of the authenticated user, and prior to the usual window manager startup.

Remediation

Users can upgrade to xrdp version 0.10.6 to address this vulnerability.