July 6, 2020

GHSL-2020-058: OOB read in Apache Guacamole prior to 1.2.0 - CVE-2020-9497

Nico Waisman

Summary

There is an out of bounds read in Apache Guacamole server's RDP protocol. The vulnerability exists in the RDP Audio Output Virtual Channel Extension, while trying to parse a PDU of type WaveInfo which is used to transmit audio data through the channel.

Product

Apache Guacamole Server

Tested Version

Apache Guacamole Server up to commit bbb7949

Details

GHSL-2020-058: Out of band read in WaveInfo PDU handler

The WaveInfo PDU contains a 16-bit unsigned integer that represents an index into the list of audio formats exchanged between the client and server during the initialization phase. This list is maintained as a 16 member array in struct guac_rdpsnd. The 16-bit integer (format) is used to index this array without any boundary checks and as a result may trigger an out of bounds read.

The vulnerability is in protocols/rdp/channels/rdpsnd/rdpsnd-message.c [235-257]

    /* Read wave information */
    Stream_Read_UINT16(input_stream, rdpsnd->server_timestamp);
    Stream_Read_UINT16(input_stream, format); [1]
    Stream_Read_UINT8(input_stream, rdpsnd->waveinfo_block_number);
    Stream_Seek(input_stream, 3);
    Stream_Read(input_stream, rdpsnd->initial_wave_data, 4);

    /*
     * Size of incoming wave data is equal to the body size field of this
     * header, less the size of a WaveInfo PDU (not including the header),
     * thus body_size - 12.
     */
    rdpsnd->incoming_wave_size = header->body_size - 12;

    /* Read wave in next iteration */
    rdpsnd->next_pdu_is_wave = TRUE;

    /* Reset audio stream if format has changed */
    if (audio != NULL)
        guac_audio_stream_reset(audio, NULL,
                rdpsnd->formats[format].rate,  [2]
                rdpsnd->formats[format].channels,
                rdpsnd->formats[format].bps);

As can be seen in the above code snippet, at [1] Stream_Read_UINT16 is used to read a 16-bit integer value from the network into the format variable and at [2] rdpsnd->formats is indexed with this remote controlled integer without ensuring that format does not index outside of the bounds of the array.

Impact

An authenticated user may potentially leak information about the memory contents of the guacd process.

CVE

  • CVE-2020-9497

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

  • 04/10/2020: vendor contacted
  • 04/10/2020: vendor acknowledges report
  • 05/14/2020: vendor confirms CVE-2020-9497 will be fixed in 1.2.0
  • 07/01/2020: vendor releases version 1.2.0

Supporting Resources

Credit

This issue was discovered and reported by the GitHub Security Lab.

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-058 in any communication regarding this issue.