FreeRDP Heap-Buffer Overflow Vulnerability in Clipboard Channel Allowing Remote Code Execution

A heap-buffer overflow vulnerability has been identified in FreeRDP versions prior to 3.26.0, specifically within the server-side clipboard (cliprdr) channel. This vulnerability allows a malicious RDP client to cause a heap-buffer overflow by sending a CB_CLIP_CAPS PDU with an undersized capabilitySetLength. The resulting heap memory corruption can lead to a crash of the server process, causing a remote denial-of-service condition, and may also be exploitable for code execution. The vulnerability arises in the capability parsing routine of the cliprdr server, where improper validation of the capabilitySetLength allows for out-of-bounds writes.

Impact

Exploitation of this vulnerability causes a heap-buffer overflow, leading to heap memory corruption. This can crash the server process, causing a remote denial-of-service condition, and may be exploitable for remote code execution, depending on the behavior of the memory allocator and the presence of build hardening.

Reproduction

The vulnerability can be reproduced by building FreeRDP with AddressSanitizer enabled, which will detect memory corruption issues. After compiling FreeRDP with the appropriate flags to include debugging information and sanitization for address and undefined behavior, the CB_CLIP_CAPS PDU can be crafted with a capabilitySetLength of 1, which is too small for the expected data. When this PDU is sent to the FreeRDP server, it triggers the heap-buffer overflow by causing a 1-byte allocation followed by a 12-byte write out of bounds, which can be observed as a heap-buffer-overflow error in the AddressSanitizer output.

Remediation

Users can upgrade to FreeRDP version 3.26.0 or later, where this vulnerability has been fixed.