Deskflow Clipboard Deserialization Out-of-Bounds Read Vulnerability

A remote memory-safety vulnerability has been identified in Deskflow, a keyboard and mouse sharing application, prior to version 1.26.0.138. The issue arises in the clipboard deserialization process, where a connected peer can trigger an out-of-bounds read by sending a malformed clipboard update. This vulnerability is rooted in the improper validation of the internal structure of serialized clipboard data, allowing exploitation by crafting specific clipboard payloads.

Impact

Exploitation of this vulnerability leads to a remote out-of-bounds read in the clipboard parser, causing a process crash or, in some cases, allowing adjacent process memory to be copied into clipboard contents, which could then be exposed to the local user or relayed to another peer.

Reproduction

To reproduce this vulnerability, two Deskflow instances are needed. One instance should be run as a server, while the other connects as a client. Clipboard sharing must be enabled between the peers. Once the connection is established, the server can be sent a malformed clipboard update that exploits the deserialization vulnerability. This can be done by sending a clipboard payload that exceeds the declared size, causing the application to read past the end of the buffer and potentially crash or corrupt memory.

Remediation

Users should update Deskflow to version 1.26.0.138 or later.