Summary
A global out-of-bounds (OOB) read vulnerability has been detected in update_recv_primary_order due to global array access with attacker-controlled index.
Product
FreeRDP
Tested Version
Development version - master branch (May 26, 2020)
Details: Global OOB read in update_recv_primary_order
The update_recv_primary_order function in orders.c performs a call to:
/* libfreerdp/core/orders.c */
[line 3266] if (!update_read_field_flags(s, &(orderInfo->fieldFlags), flags, PRIMARY_DRAWING_ORDER_FIELD_BYTES[orderInfo->orderType]))
where orderInfo->orderType is a value that can be controlled directly by a potential attacker. As we can see below, PRIMARY_DRAWING_ORDER_FIELD_BYTES is a static array of size 28:
/* libfreerdp/core/orders.c */
const BYTE PRIMARY_DRAWING_ORDER_FIELD_BYTES[] = { DSTBLT_ORDER_FIELD_BYTES,
PATBLT_ORDER_FIELD_BYTES,
SCRBLT_ORDER_FIELD_BYTES,
0,
0,
0,
0,
DRAW_NINE_GRID_ORDER_FIELD_BYTES,
...
So, if orderInfo->orderType value is greater than 27, an OOB read occurs resulting in accessing a memory location that is outside of the boundaries of the static array PRIMARY_DRAWING_ORDER_FIELD_BYTES.
Impact
This issue may lead to Out-of-Bounds read.
CVE
- CVE-2020-11095
Coordinated Disclosure Timeline
This report was subject to the GHSL coordinated disclosure policy.
- 05/26/2020: Report sent to Vendor
- 05/26/2020: Vendor acknowledges report
- 06/22/2020: Bug fixed and patch released by the vendor
Supporting Resources
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-563r-pvh7-4fw2
- https://github.com/FreeRDP/FreeRDP/commit/733ee3208306b1ea32697b356c0215180fc3f049
Credit
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
Contact
You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-124 in any communication regarding this issue.