Vulnerabilities > CVE-2008-1803 - Numeric Errors vulnerability in Rdesktop 1.5.0
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Integer signedness error in the xrealloc function (rdesktop.c) in RDesktop 1.5.0 allows remote attackers to execute arbitrary code via unknown parameters that trigger a heap-based overflow. NOTE: the role of the channel_process function was not specified by the original researcher.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-101.NASL description Several vulnerabilities were discovered in rdesktop, a Remote Desktop Protocol client. An integer underflow vulnerability allowed attackers to cause a denial of service (crash) and possibly execute arbitrary code with the privileges of the logged-in user (CVE-2008-1801). A buffer overflow vulnerability allowed attackers to execute arbitrary code with the privileges of the logged-in user (CVE-2008-1802). An integer signedness vulnerability allowed attackers to execute arbitrary code with the privileges of the logged-in user (CVE-2008-1803). In order for these vulnerabilities to be exploited, an attacker must persuade a targeted user to connect to a malicious RDP server. The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37563 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37563 title Mandriva Linux Security Advisory : rdesktop (MDVSA-2008:101) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2008:101. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(37563); script_version ("1.13"); script_cvs_date("Date: 2019/08/02 13:32:50"); script_cve_id("CVE-2008-1801", "CVE-2008-1802", "CVE-2008-1803"); script_xref(name:"MDVSA", value:"2008:101"); script_name(english:"Mandriva Linux Security Advisory : rdesktop (MDVSA-2008:101)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandriva Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities were discovered in rdesktop, a Remote Desktop Protocol client. An integer underflow vulnerability allowed attackers to cause a denial of service (crash) and possibly execute arbitrary code with the privileges of the logged-in user (CVE-2008-1801). A buffer overflow vulnerability allowed attackers to execute arbitrary code with the privileges of the logged-in user (CVE-2008-1802). An integer signedness vulnerability allowed attackers to execute arbitrary code with the privileges of the logged-in user (CVE-2008-1803). In order for these vulnerabilities to be exploited, an attacker must persuade a targeted user to connect to a malicious RDP server. The updated packages have been patched to correct these issues." ); script_set_attribute( attribute:"solution", value:"Update the affected rdesktop package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(119, 189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:rdesktop"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1"); script_set_attribute(attribute:"patch_publication_date", value:"2008/05/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2007.1", reference:"rdesktop-1.5.0-1.2mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"rdesktop-1.5.0-3.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"rdesktop-1.5.0-4.1mdv2008.1", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family SuSE Local Security Checks NASL id SUSE_RDESKTOP-5271.NASL description Multiple problems have been fixed in rdesktop. CVE-2008-1801, CVE-2008-1802 and CVE-2008-1803 have been assigned to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 33898 published 2008-08-15 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33898 title openSUSE 10 Security Update : rdesktop (rdesktop-5271) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update rdesktop-5271. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(33898); script_version ("1.10"); script_cvs_date("Date: 2019/10/25 13:36:33"); script_cve_id("CVE-2008-1801", "CVE-2008-1802", "CVE-2008-1803"); script_name(english:"openSUSE 10 Security Update : rdesktop (rdesktop-5271)"); script_summary(english:"Check for the rdesktop-5271 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Multiple problems have been fixed in rdesktop. CVE-2008-1801, CVE-2008-1802 and CVE-2008-1803 have been assigned to this issue." ); script_set_attribute( attribute:"solution", value:"Update the affected rdesktop package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(119, 189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:rdesktop"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.3"); script_set_attribute(attribute:"patch_publication_date", value:"2008/05/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/08/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.2|SUSE10\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.2 / 10.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.2", reference:"rdesktop-1.5.0-24") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"rdesktop-1.5.0-79.2") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "rdesktop"); }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0575.NASL description An updated rdesktop package that fixes a security issue is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. rdesktop is an open source client for Microsoft Windows NT Terminal Server and Microsoft Windows 2000 and 2003 Terminal Services, capable of natively using the Remote Desktop Protocol (RDP) to present the user last seen 2020-06-01 modified 2020-06-02 plugin id 33578 published 2008-07-25 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33578 title RHEL 5 : rdesktop (RHSA-2008:0575) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200806-04.NASL description The remote host is affected by the vulnerability described in GLSA-200806-04 (rdesktop: Multiple vulnerabilities) An anonymous researcher reported multiple vulnerabilities in rdesktop via iDefense Labs: An integer underflow error exists in the function iso_recv_msg() in the file iso.c which can be triggered via a specially crafted RDP request, causing a heap-based buffer overflow (CVE-2008-1801). An input validation error exists in the function process_redirect_pdu() in the file rdp.c which can be triggered via a specially crafted RDP redirect request, causing a BSS-based buffer overflow (CVE-2008-1802). An integer signedness error exists in the function xrealloc() in the file rdesktop.c which can be be exploited to cause a heap-based buffer overflow (CVE-2008-1803). Impact : An attacker could exploit these vulnerabilities by enticing a user to connect to a malicious RDP server thereby allowing the attacker to execute arbitrary code or cause a Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 33189 published 2008-06-16 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33189 title GLSA-200806-04 : rdesktop: Multiple vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1573.NASL description Several remote vulnerabilities have been discovered in rdesktop, a Remote Desktop Protocol client. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-1801 Remote exploitation of an integer underflow vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user. - CVE-2008-1802 Remote exploitation of a BSS overflow vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user. - CVE-2008-1803 Remote exploitation of an integer signedness vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user. last seen 2020-06-01 modified 2020-06-02 plugin id 32307 published 2008-05-13 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32307 title Debian DSA-1573-1 : rdesktop - several vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2008-3985.NASL description - Tue May 13 2008 Soren Sandmann <sandmann at redhat.com> - 1.6.0-1 - Update to 1.6.0 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 32349 published 2008-05-16 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32349 title Fedora 7 : rdesktop-1.6.0-1.fc7 (2008-3985) NASL family SuSE Local Security Checks NASL id SUSE_RDESKTOP-5272.NASL description Multiple problems have been fixed in rdesktop. CVE-2008-1801 / CVE-2008-1802 / CVE-2008-1803 have been assigned to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 33889 published 2008-08-14 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33889 title SuSE 10 Security Update : rdesktop (ZYPP Patch Number 5272) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-646-1.NASL description It was discovered that rdesktop did not properly validate the length of packet headers when processing RDP requests. If a user were tricked into connecting to a malicious server, an attacker could cause a denial of service or possible execute arbitrary code with the privileges of the user. (CVE-2008-1801) Multiple buffer overflows were discovered in rdesktop when processing RDP redirect requests. If a user were tricked into connecting to a malicious server, an attacker could cause a denial of service or possible execute arbitrary code with the privileges of the user. (CVE-2008-1802) It was discovered that rdesktop performed a signed integer comparison when reallocating dynamic buffers which could result in a heap-based overflow. If a user were tricked into connecting to a malicious server, an attacker could cause a denial of service or possible execute arbitrary code with the privileges of the user. (CVE-2008-1802). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 38000 published 2009-04-23 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38000 title Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : rdesktop vulnerabilities (USN-646-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2008-0575.NASL description From Red Hat Security Advisory 2008:0575 : An updated rdesktop package that fixes a security issue is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. rdesktop is an open source client for Microsoft Windows NT Terminal Server and Microsoft Windows 2000 and 2003 Terminal Services, capable of natively using the Remote Desktop Protocol (RDP) to present the user last seen 2020-06-01 modified 2020-06-02 plugin id 67719 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67719 title Oracle Linux 5 : rdesktop (ELSA-2008-0575) NASL family Fedora Local Security Checks NASL id FEDORA_2008-3886.NASL description - Tue May 13 2008 Soren Sandmann <sandmann at redhat.com> - 1.6.0-1 - Update to 1.6.0 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 32338 published 2008-05-16 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32338 title Fedora 9 : rdesktop-1.6.0-1.fc9 (2008-3886) NASL family Scientific Linux Local Security Checks NASL id SL_20080724_RDESKTOP_ON_SL5_X.NASL description An integer underflow and integer signedness issue were discovered in the rdesktop. If an attacker could convince a victim to connect to a malicious RDP server, the attacker could cause the victim last seen 2020-06-01 modified 2020-06-02 plugin id 60454 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60454 title Scientific Linux Security Update : rdesktop on SL5.x i386/x86_64 NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2008-0575.NASL description An updated rdesktop package that fixes a security issue is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. rdesktop is an open source client for Microsoft Windows NT Terminal Server and Microsoft Windows 2000 and 2003 Terminal Services, capable of natively using the Remote Desktop Protocol (RDP) to present the user last seen 2020-06-01 modified 2020-06-02 plugin id 43696 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43696 title CentOS 5 : rdesktop (CESA-2008:0575) NASL family Fedora Local Security Checks NASL id FEDORA_2008-3917.NASL description - Tue May 13 2008 Soren Sandmann <sandmann at redhat.com> - 1.6.0-1 - Update to 1.6.0 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 32343 published 2008-05-16 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32343 title Fedora 8 : rdesktop-1.6.0-1.fc8 (2008-3917)
Oval
accepted | 2013-04-29T04:22:21.742-04:00 | ||||||||||||
class | vulnerability | ||||||||||||
contributors |
| ||||||||||||
definition_extensions |
| ||||||||||||
description | Integer signedness error in the xrealloc function (rdesktop.c) in RDesktop 1.5.0 allows remote attackers to execute arbitrary code via unknown parameters that trigger a heap-based overflow. NOTE: the role of the channel_process function was not specified by the original researcher. | ||||||||||||
family | unix | ||||||||||||
id | oval:org.mitre.oval:def:9800 | ||||||||||||
status | accepted | ||||||||||||
submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
title | Integer signedness error in the xrealloc function (rdesktop.c) in RDesktop 1.5.0 allows remote attackers to execute arbitrary code via unknown parameters that trigger a heap-based overflow. NOTE: the role of the channel_process function was not specified by the original researcher. | ||||||||||||
version | 18 |
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 29097 CVE(CAN) ID: CVE-2008-1801,CVE-2008-1802,CVE-2008-1803 rdesktop是实现RDP协议的开源客户端,允许基于Unix的用户登录到Windows终端服务器。 rdesktop负责重新分配动态缓冲区的代码(channel_process())中存在堆溢出漏洞。rdesktop的xrealloc()函数使用有符比较判断所请求的分配大小是否小于1。如果小于1的话,这个函数错误的将分配大小设置为1,这导致分配了错误大小的堆缓冲区,之后会被溢出。 rdesktop负责在RDP重新定向请求中执行读操作的代码(process_redirect_pdu())存在缓冲区溢出。在解析重新定向请求时,rdesktop客户端从请求报文中读取了一些32位的整数,然后使用这些整数控制读入到静态分配缓冲区中的字节数,这可能会溢出一些位于BSS部分中的缓冲区。 rdesktop负责在RDP请求中执行读操作的代码(iso_recv_msg())存在堆溢出漏洞。在读取请求时,直接从报文中获得了代表之后跟随字节数的16位整数,然后将这个值递减4并用于计算将要读取到堆缓冲区中的字节数。上述减法运算可能下溢,之后导致堆溢出。 rdesktop 1.5.0 rdesktop -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/rdp.c?annotate=1.102&pathrev=HEAD#l1337 target=_blank>http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/rdp.c?annotate=1.102&pathrev=HEAD#l1337</a> |
id | SSV:3271 |
last seen | 2017-11-19 |
modified | 2008-05-10 |
published | 2008-05-10 |
reporter | Root |
title | rdesktop多个缓冲区溢出漏洞 |
References
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=698
- http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/rdesktop.c?r1=1.161&r2=1.162&pathrev=HEAD
- http://secunia.com/advisories/30118
- http://secunia.com/advisories/30248
- http://secunia.com/advisories/30713
- http://secunia.com/advisories/31224
- http://secunia.com/advisories/31928
- http://security.gentoo.org/glsa/glsa-200806-04.xml
- http://sourceforge.net/mailarchive/message.php?msg_name=20080511065217.GA24455%40cse.unsw.EDU.AU
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-240708-1
- http://support.avaya.com/elmodocs2/security/ASA-2008-360.htm
- http://www.debian.org/security/2008/dsa-1573
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:101
- http://www.redhat.com/archives/fedora-package-announce/2008-May/msg00244.html
- http://www.redhat.com/archives/fedora-package-announce/2008-May/msg00270.html
- http://www.redhat.com/archives/fedora-package-announce/2008-May/msg00296.html
- http://www.redhat.com/support/errata/RHSA-2008-0575.html
- http://www.securityfocus.com/bid/29097
- http://www.securitytracker.com/id?1019992
- http://www.ubuntu.com/usn/usn-646-1
- http://www.vupen.com/english/advisories/2008/1467/references
- http://www.vupen.com/english/advisories/2008/2403
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42277
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9800