GHSL-2020-100: Out of Bounds (OOB) read vulnerability in FreeRDP - CVE-2020-13396

Summary

An out-of-bounds (OOB) read vulnerability has been detected in ntlm_read_ChallengeMessage due to a memcpy with an attacker-controlled size. This issue was addressed in FreeRDP version 2.1.1.

Product

FreeRDP

Tested Version

Development version - master branch (May 14, 2020)

Details: Out-of-bound read in ntlm_read_ChallengeMessage function

The ntlm_read_ChallengeMessage function in ntlm_message.c performs a call to CopyMemory(context->ChallengeMessage.pvBuffer, StartOffset, length) (line 494), where length is a value that can be controlled indirectly by a potential attacker.

CopyMemory function is nothing else than a memcpy wrapper defined as:

View on GitHub!

#define CopyMemory(Destination, Source, Length) memcpy((Destination), (Source), (Length))

As we can see below, length is equal to the addition of TargetName.Len and TargetInfo.Len, both values being controlled by the remote input.

View on GitHub!

/* ntlm_message.c : 486 */

	length = (PayloadOffset - StartOffset) + message->TargetName.Len + message->TargetInfo.Len;

	if (!sspi_SecBufferAlloc(&context->ChallengeMessage, length))
	{
		Stream_Free(s, FALSE);
		return SEC_E_INTERNAL_ERROR;
	}

	CopyMemory(context->ChallengeMessage.pvBuffer, StartOffset, length);

And StartOffset is a pointer to s wStream*, which in turn points to buffer->pvBuffer array. But there is any statement for checking that length value is greater than buffer->pvBuffer size.

View on GitHub!

/* ntlm_message.c : 370 */

 PBYTE StartOffset;
 ...
 s = Stream_New((BYTE*)buffer->pvBuffer, buffer->cbBuffer);
 ...
 StartOffset = Stream_Pointer(s);

As a result, OOB reads can occurs resulting in accessing a memory location that is outside of the boundaries of the buffer->pvBuffer array.

Impact

This issue may lead to an Out-of-Bounds read.

CVE

• CVE-2020-13396

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

• 05/14/2020: Vendor contacted
• 05/15/2020: Vendor acknowledges report
• 05/15/2020: Bug fixed and patch released by the vendor

Resources

• https://github.com/FreeRDP/FreeRDP/commit/48361c411e50826cb602c7aab773a8a20e1da6bc
• https://github.com/FreeRDP/FreeRDP/commit/8fb6336a4072abcee8ce5bd6ae91104628c7bb69

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-100 in any communication regarding this issue.