FreeRDP Heap-Buffer-Overflow Vulnerability in gdi_CacheToSurface Allowing Remote Code Execution

A heap-buffer-overflow vulnerability has been identified in FreeRDP versions prior to 3.26.0, specifically within the gdi_CacheToSurface function. This vulnerability allows remote attackers to write out-of-bounds data to heap memory. The issue arises because the function's rectangle validation process clamps coordinates to UINT16_MAX, but the actual copy operations use unclamped dimensions from the cache entry. As a result, malicious RDP servers can exploit this flaw by sending large, crafted RDPGFX PDUs that trigger significant out-of-bounds writes. This exploitation could lead to remote code execution or cause the FreeRDP client to crash.

Impact

Exploitation of this vulnerability causes a heap-buffer-overflow in the FreeRDP client, which can lead to a crash or potentially allow for remote code execution in the context of the client process.

Reproduction

The vulnerability can be reproduced by using a FreeRDP client version prior to 3.26.0 that has RDPGFX enabled. A malicious RDP server must be set up to send crafted RDPGFX PDUs that exploit the vulnerability. The FreeRDP client can be built with AddressSanitizer and UndefinedBehaviorSanitizer enabled, which will help detect the heap-buffer-overflow when the vulnerable code is executed.

Remediation

Users can upgrade to FreeRDP version 3.26.0 or later to address this vulnerability.