FreeRDP Heap-Buffer-Overflow Vulnerability in Persistent Cache Allocator Prior to 3.24.2

A heap-buffer-overflow vulnerability has been identified in FreeRDP versions through 3.24.1. The issue arises in the persistent cache management, specifically within the 'libfreerdp/cache/persistent.c' file. The vulnerability occurs when the 'persistent_cache_new()' function allocates memory for bitmap data using 'calloc'. This allocation method does not properly align the memory, leading to a buffer overflow when the 'persistent_cache_read_entry_v3()' function attempts to read the data. The problem is exacerbated by the fact that the vulnerability can be triggered by any v3 persistent cache file containing an entry larger than 64x64 pixels at 32 bits per pixel, a common scenario. The misalignment causes the signature check to fail, allowing for a mismatched free operation that results in undefined behavior.

Impact

Exploitation of this vulnerability leads to a heap-buffer-overflow read, where 24 bytes before the allocated buffer are improperly accessed. This out-of-bounds read can potentially be exploited to manipulate heap metadata, causing 'winpr_aligned_free()' to be called on a pointer that was originally allocated with 'calloc', creating a mismatch that could be exploited.

Reproduction

The vulnerability can be reproduced by creating a v3 persistent cache file that includes an entry larger than 64x64 pixels at 32 bits per pixel. When this file is read by FreeRDP versions through 3.24.1, the 'persistent_cache_read_entry_v3()' function will trigger the heap-buffer-overflow read vulnerability by accessing memory 24 bytes before the allocated buffer.

Remediation

Users can upgrade to FreeRDP version 3.24.2, where this vulnerability has been patched.