FreeRDP Denial-of-Service Vulnerability via Unvalidated auth_length in RDP Gateway Transport

A denial-of-service vulnerability has been identified in FreeRDP, a free implementation of the Remote Desktop Protocol, prior to version 3.24.2. The issue arises from an unvalidated auth_length field read from the network, which triggers a WINPR_ASSERT failure in the function rts_read_auth_verifier_no_checks. This assertion failure causes any FreeRDP client connecting through a malicious RDP Gateway to crash with a SIGABRT signal. The vulnerability affects all FreeRDP clients using RPC-over-HTTP gateway transport and is present in default release builds where WINPR_ASSERT is enabled.

Impact

Exploitation of this vulnerability leads to a crash of the FreeRDP client, causing a denial-of-service condition. The crash occurs during the connection setup process, before authentication, allowing a malicious RDP Gateway to disrupt the client without requiring credentials.

Reproduction

The vulnerability can be reproduced by using a FreeRDP client version 3.24.1 or earlier that is built with the WINPR_VERBOSE_ASSERT option enabled. When the client connects to an RDP Gateway that sends a maliciously crafted RPC PDU with an auth_length value that exceeds the frag_length, the client will crash due to the triggered assertion. This can be automated with a proof-of-concept program that simulates the malicious RDP Gateway behavior.

Remediation

Users can upgrade to FreeRDP version 3.24.2 or later, where this vulnerability has been patched.