June 17, 2020

GHSL-2020-100: Out of Bounds (OOB) read vulnerability in FreeRDP - CVE-2020-13396

Antonio Morales


An out-of-bounds (OOB) read vulnerability has been detected in ntlm_read_ChallengeMessage due to a memcpy with an attacker-controlled size. This issue was addressed in FreeRDP version 2.1.1.



Tested Version

Development version - master branch (May 14, 2020)

Details: Out-of-bound read in ntlm_read_ChallengeMessage function

The ntlm_read_ChallengeMessage function in ntlm_message.c performs a call to CopyMemory(context->ChallengeMessage.pvBuffer, StartOffset, length) (line 494), where length is a value that can be controlled indirectly by a potential attacker.

CopyMemory function is nothing else than a memcpy wrapper defined as:

View on GitHub!

#define CopyMemory(Destination, Source, Length) memcpy((Destination), (Source), (Length))

As we can see below, length is equal to the addition of TargetName.Len and TargetInfo.Len, both values being controlled by the remote input.

View on GitHub!

/* ntlm_message.c : 486 */

	length = (PayloadOffset - StartOffset) + message->TargetName.Len + message->TargetInfo.Len;

	if (!sspi_SecBufferAlloc(&context->ChallengeMessage, length))
		Stream_Free(s, FALSE);

	CopyMemory(context->ChallengeMessage.pvBuffer, StartOffset, length);

And StartOffset is a pointer to s wStream*, which in turn points to buffer->pvBuffer array. But there is any statement for checking that length value is greater than buffer->pvBuffer size.

View on GitHub!

/* ntlm_message.c : 370 */

 PBYTE StartOffset;
 s = Stream_New((BYTE*)buffer->pvBuffer, buffer->cbBuffer);
 StartOffset = Stream_Pointer(s);

As a result, OOB reads can occurs resulting in accessing a memory location that is outside of the boundaries of the buffer->pvBuffer array.


This issue may lead to an Out-of-Bounds read.


  • CVE-2020-13396

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

  • 05/14/2020: Vendor contacted
  • 05/15/2020: Vendor acknowledges report
  • 05/15/2020: Bug fixed and patch released by the vendor



This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).


You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-100 in any communication regarding this issue.