July 1, 2020

GHSL-2020-124: OOB read vulnerability in FreeRDP update_recv_primary_order - CVE-2020-11095

Antonio Morales

Summary

A global out-of-bounds (OOB) read vulnerability has been detected in update_recv_primary_order due to global array access with attacker-controlled index.

Product

FreeRDP

Tested Version

Development version - master branch (May 26, 2020)

Details: Global OOB read in update_recv_primary_order

The update_recv_primary_order function in orders.c performs a call to:

View on GitHub!

/* libfreerdp/core/orders.c */

[line 3266] if (!update_read_field_flags(s, &(orderInfo->fieldFlags), flags, PRIMARY_DRAWING_ORDER_FIELD_BYTES[orderInfo->orderType]))

where orderInfo->orderType is a value that can be controlled directly by a potential attacker. As we can see below, PRIMARY_DRAWING_ORDER_FIELD_BYTES is a static array of size 28:

View on GitHub!

/* libfreerdp/core/orders.c */

const BYTE PRIMARY_DRAWING_ORDER_FIELD_BYTES[] = { DSTBLT_ORDER_FIELD_BYTES,
	                                               PATBLT_ORDER_FIELD_BYTES,
	                                               SCRBLT_ORDER_FIELD_BYTES,
	                                               0,
	                                               0,
	                                               0,
	                                               0,
	                                               DRAW_NINE_GRID_ORDER_FIELD_BYTES,
...

So, if orderInfo->orderType value is greater than 27, an OOB read occurs resulting in accessing a memory location that is outside of the boundaries of the static array PRIMARY_DRAWING_ORDER_FIELD_BYTES.

Impact

This issue may lead to Out-of-Bounds read.

CVE

  • CVE-2020-11095

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

  • 05/26/2020: Report sent to Vendor
  • 05/26/2020: Vendor acknowledges report
  • 06/22/2020: Bug fixed and patch released by the vendor

Supporting Resources

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-124 in any communication regarding this issue.