Vulnerabilities > CVE-2008-1802 - Buffer Errors vulnerability in Rdesktop 1.5.0
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Buffer overflow in the process_redirect_pdu (rdp.c) function in rdesktop 1.5.0 allows remote attackers to execute arbitrary code via a Remote Desktop Protocol (RDP) redirect request with modified length fields.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
| id | EDB-ID:5585 |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-101.NASL description Several vulnerabilities were discovered in rdesktop, a Remote Desktop Protocol client. An integer underflow vulnerability allowed attackers to cause a denial of service (crash) and possibly execute arbitrary code with the privileges of the logged-in user (CVE-2008-1801). A buffer overflow vulnerability allowed attackers to execute arbitrary code with the privileges of the logged-in user (CVE-2008-1802). An integer signedness vulnerability allowed attackers to execute arbitrary code with the privileges of the logged-in user (CVE-2008-1803). In order for these vulnerabilities to be exploited, an attacker must persuade a targeted user to connect to a malicious RDP server. The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37563 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37563 title Mandriva Linux Security Advisory : rdesktop (MDVSA-2008:101) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2008:101. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(37563); script_version ("1.13"); script_cvs_date("Date: 2019/08/02 13:32:50"); script_cve_id("CVE-2008-1801", "CVE-2008-1802", "CVE-2008-1803"); script_xref(name:"MDVSA", value:"2008:101"); script_name(english:"Mandriva Linux Security Advisory : rdesktop (MDVSA-2008:101)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandriva Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities were discovered in rdesktop, a Remote Desktop Protocol client. An integer underflow vulnerability allowed attackers to cause a denial of service (crash) and possibly execute arbitrary code with the privileges of the logged-in user (CVE-2008-1801). A buffer overflow vulnerability allowed attackers to execute arbitrary code with the privileges of the logged-in user (CVE-2008-1802). An integer signedness vulnerability allowed attackers to execute arbitrary code with the privileges of the logged-in user (CVE-2008-1803). In order for these vulnerabilities to be exploited, an attacker must persuade a targeted user to connect to a malicious RDP server. The updated packages have been patched to correct these issues." ); script_set_attribute( attribute:"solution", value:"Update the affected rdesktop package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(119, 189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:rdesktop"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1"); script_set_attribute(attribute:"patch_publication_date", value:"2008/05/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2007.1", reference:"rdesktop-1.5.0-1.2mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"rdesktop-1.5.0-3.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"rdesktop-1.5.0-4.1mdv2008.1", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_RDESKTOP-5271.NASL description Multiple problems have been fixed in rdesktop. CVE-2008-1801, CVE-2008-1802 and CVE-2008-1803 have been assigned to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 33898 published 2008-08-15 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33898 title openSUSE 10 Security Update : rdesktop (rdesktop-5271) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update rdesktop-5271. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(33898); script_version ("1.10"); script_cvs_date("Date: 2019/10/25 13:36:33"); script_cve_id("CVE-2008-1801", "CVE-2008-1802", "CVE-2008-1803"); script_name(english:"openSUSE 10 Security Update : rdesktop (rdesktop-5271)"); script_summary(english:"Check for the rdesktop-5271 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Multiple problems have been fixed in rdesktop. CVE-2008-1801, CVE-2008-1802 and CVE-2008-1803 have been assigned to this issue." ); script_set_attribute( attribute:"solution", value:"Update the affected rdesktop package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(119, 189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:rdesktop"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.3"); script_set_attribute(attribute:"patch_publication_date", value:"2008/05/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/08/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.2|SUSE10\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.2 / 10.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.2", reference:"rdesktop-1.5.0-24") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"rdesktop-1.5.0-79.2") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "rdesktop"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200806-04.NASL description The remote host is affected by the vulnerability described in GLSA-200806-04 (rdesktop: Multiple vulnerabilities) An anonymous researcher reported multiple vulnerabilities in rdesktop via iDefense Labs: An integer underflow error exists in the function iso_recv_msg() in the file iso.c which can be triggered via a specially crafted RDP request, causing a heap-based buffer overflow (CVE-2008-1801). An input validation error exists in the function process_redirect_pdu() in the file rdp.c which can be triggered via a specially crafted RDP redirect request, causing a BSS-based buffer overflow (CVE-2008-1802). An integer signedness error exists in the function xrealloc() in the file rdesktop.c which can be be exploited to cause a heap-based buffer overflow (CVE-2008-1803). Impact : An attacker could exploit these vulnerabilities by enticing a user to connect to a malicious RDP server thereby allowing the attacker to execute arbitrary code or cause a Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 33189 published 2008-06-16 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33189 title GLSA-200806-04 : rdesktop: Multiple vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1573.NASL description Several remote vulnerabilities have been discovered in rdesktop, a Remote Desktop Protocol client. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-1801 Remote exploitation of an integer underflow vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user. - CVE-2008-1802 Remote exploitation of a BSS overflow vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user. - CVE-2008-1803 Remote exploitation of an integer signedness vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user. last seen 2020-06-01 modified 2020-06-02 plugin id 32307 published 2008-05-13 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32307 title Debian DSA-1573-1 : rdesktop - several vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2008-3985.NASL description - Tue May 13 2008 Soren Sandmann <sandmann at redhat.com> - 1.6.0-1 - Update to 1.6.0 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 32349 published 2008-05-16 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32349 title Fedora 7 : rdesktop-1.6.0-1.fc7 (2008-3985) NASL family SuSE Local Security Checks NASL id SUSE_RDESKTOP-5272.NASL description Multiple problems have been fixed in rdesktop. CVE-2008-1801 / CVE-2008-1802 / CVE-2008-1803 have been assigned to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 33889 published 2008-08-14 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33889 title SuSE 10 Security Update : rdesktop (ZYPP Patch Number 5272) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-646-1.NASL description It was discovered that rdesktop did not properly validate the length of packet headers when processing RDP requests. If a user were tricked into connecting to a malicious server, an attacker could cause a denial of service or possible execute arbitrary code with the privileges of the user. (CVE-2008-1801) Multiple buffer overflows were discovered in rdesktop when processing RDP redirect requests. If a user were tricked into connecting to a malicious server, an attacker could cause a denial of service or possible execute arbitrary code with the privileges of the user. (CVE-2008-1802) It was discovered that rdesktop performed a signed integer comparison when reallocating dynamic buffers which could result in a heap-based overflow. If a user were tricked into connecting to a malicious server, an attacker could cause a denial of service or possible execute arbitrary code with the privileges of the user. (CVE-2008-1802). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 38000 published 2009-04-23 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38000 title Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : rdesktop vulnerabilities (USN-646-1) NASL family Fedora Local Security Checks NASL id FEDORA_2008-3886.NASL description - Tue May 13 2008 Soren Sandmann <sandmann at redhat.com> - 1.6.0-1 - Update to 1.6.0 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 32338 published 2008-05-16 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32338 title Fedora 9 : rdesktop-1.6.0-1.fc9 (2008-3886) NASL family Fedora Local Security Checks NASL id FEDORA_2008-3917.NASL description - Tue May 13 2008 Soren Sandmann <sandmann at redhat.com> - 1.6.0-1 - Update to 1.6.0 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 32343 published 2008-05-16 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32343 title Fedora 8 : rdesktop-1.6.0-1.fc8 (2008-3917)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/66260/rdesktoppdu-overflow.txt |
| id | PACKETSTORM:66260 |
| last seen | 2016-12-05 |
| published | 2008-05-12 |
| reporter | Guido Landi |
| source | https://packetstormsecurity.com/files/66260/rdesktoppdu-overflow.txt.html |
| title | rdesktoppdu-overflow.txt |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 29097 CVE(CAN) ID: CVE-2008-1801,CVE-2008-1802,CVE-2008-1803 rdesktop是实现RDP协议的开源客户端,允许基于Unix的用户登录到Windows终端服务器。 rdesktop负责重新分配动态缓冲区的代码(channel_process())中存在堆溢出漏洞。rdesktop的xrealloc()函数使用有符比较判断所请求的分配大小是否小于1。如果小于1的话,这个函数错误的将分配大小设置为1,这导致分配了错误大小的堆缓冲区,之后会被溢出。 rdesktop负责在RDP重新定向请求中执行读操作的代码(process_redirect_pdu())存在缓冲区溢出。在解析重新定向请求时,rdesktop客户端从请求报文中读取了一些32位的整数,然后使用这些整数控制读入到静态分配缓冲区中的字节数,这可能会溢出一些位于BSS部分中的缓冲区。 rdesktop负责在RDP请求中执行读操作的代码(iso_recv_msg())存在堆溢出漏洞。在读取请求时,直接从报文中获得了代表之后跟随字节数的16位整数,然后将这个值递减4并用于计算将要读取到堆缓冲区中的字节数。上述减法运算可能下溢,之后导致堆溢出。 rdesktop 1.5.0 rdesktop -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/rdp.c?annotate=1.102&pathrev=HEAD#l1337 target=_blank>http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/rdp.c?annotate=1.102&pathrev=HEAD#l1337</a> |
| id | SSV:3271 |
| last seen | 2017-11-19 |
| modified | 2008-05-10 |
| published | 2008-05-10 |
| reporter | Root |
| title | rdesktop多个缓冲区溢出漏洞 |
Statements
| contributor | Mark J Cox |
| lastmodified | 2008-06-24 |
| organization | Red Hat |
| statement | Not vulnerable. This issue did not affect the versions of rdesktop as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. |
References
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=697
- http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/rdp.c?r1=1.101&r2=1.102&pathrev=HEAD
- http://secunia.com/advisories/30118
- http://secunia.com/advisories/30248
- http://secunia.com/advisories/30713
- http://secunia.com/advisories/31928
- http://security.gentoo.org/glsa/glsa-200806-04.xml
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-240708-1
- http://support.avaya.com/elmodocs2/security/ASA-2008-360.htm
- http://www.debian.org/security/2008/dsa-1573
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:101
- http://www.redhat.com/archives/fedora-package-announce/2008-May/msg00244.html
- http://www.redhat.com/archives/fedora-package-announce/2008-May/msg00270.html
- http://www.redhat.com/archives/fedora-package-announce/2008-May/msg00296.html
- http://www.securityfocus.com/bid/29097
- http://www.securitytracker.com/id?1019991
- http://www.ubuntu.com/usn/usn-646-1
- http://www.vupen.com/english/advisories/2008/1467/references
- http://www.vupen.com/english/advisories/2008/2403
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42275
- https://www.exploit-db.com/exploits/5585