FreeRDP Heap-Buffer-Overflow Vulnerability in RDPGFX Processing

A heap-buffer-overflow vulnerability has been identified in the FreeRDP client, affecting versions prior to 3.26.0. The issue arises in the handling of RDPGFX PDUs, where a malicious RDP server can exploit the FreeRDP client by sending crafted graphics data. The vulnerability is located in the 'gdi_CacheToSurface' function, which improperly validates destination rectangles. Although the rectangle edges are clamped to UINT16_MAX, the actual data copy uses the original unvalidated dimensions, leading to out-of-bounds heap writes. This flaw can cause crashes or potentially allow code execution within the client. The vulnerability is only exploitable when the client has RDPGFX enabled.

Impact

Exploitation of this vulnerability causes a heap-buffer-overflow write in the FreeRDP client. This out-of-bounds heap write can lead to crashes or allow for code execution in the context of the client process. The vulnerability is reachable when connecting to a malicious RDP server that negotiates RDPGFX, with the FreeRDP client active.

Reproduction

The vulnerability can be reproduced by building FreeRDP with AddressSanitizer and UndefinedBehaviorSanitizer enabled, and then using a local proof-of-concept program that simulates the vulnerable behavior by sending crafted RDPGFX messages. This proof-of-concept triggers the heap-buffer-overflow by exploiting the clamped rectangle validation in 'gdi_CacheToSurface', leading to an out-of-bounds write that AddressSanitizer can detect.

Remediation

Users should update to FreeRDP version 3.26.0 or later, where this vulnerability has been fixed.