Vulnerabilities > CVE-2008-1803 - Numeric Errors vulnerability in Rdesktop 1.5.0

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
rdesktop
CWE-189
critical
nessus

Summary

Integer signedness error in the xrealloc function (rdesktop.c) in RDesktop 1.5.0 allows remote attackers to execute arbitrary code via unknown parameters that trigger a heap-based overflow. NOTE: the role of the channel_process function was not specified by the original researcher.

Vulnerable Configurations

Part Description Count
Application
Rdesktop
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-101.NASL
    descriptionSeveral vulnerabilities were discovered in rdesktop, a Remote Desktop Protocol client. An integer underflow vulnerability allowed attackers to cause a denial of service (crash) and possibly execute arbitrary code with the privileges of the logged-in user (CVE-2008-1801). A buffer overflow vulnerability allowed attackers to execute arbitrary code with the privileges of the logged-in user (CVE-2008-1802). An integer signedness vulnerability allowed attackers to execute arbitrary code with the privileges of the logged-in user (CVE-2008-1803). In order for these vulnerabilities to be exploited, an attacker must persuade a targeted user to connect to a malicious RDP server. The updated packages have been patched to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id37563
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/37563
    titleMandriva Linux Security Advisory : rdesktop (MDVSA-2008:101)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2008:101. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(37563);
      script_version ("1.13");
      script_cvs_date("Date: 2019/08/02 13:32:50");
    
      script_cve_id("CVE-2008-1801", "CVE-2008-1802", "CVE-2008-1803");
      script_xref(name:"MDVSA", value:"2008:101");
    
      script_name(english:"Mandriva Linux Security Advisory : rdesktop (MDVSA-2008:101)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Mandriva Linux host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities were discovered in rdesktop, a Remote Desktop
    Protocol client.
    
    An integer underflow vulnerability allowed attackers to cause a denial
    of service (crash) and possibly execute arbitrary code with the
    privileges of the logged-in user (CVE-2008-1801).
    
    A buffer overflow vulnerability allowed attackers to execute arbitrary
    code with the privileges of the logged-in user (CVE-2008-1802).
    
    An integer signedness vulnerability allowed attackers to execute
    arbitrary code with the privileges of the logged-in user
    (CVE-2008-1803).
    
    In order for these vulnerabilities to be exploited, an attacker must
    persuade a targeted user to connect to a malicious RDP server.
    
    The updated packages have been patched to correct these issues."
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected rdesktop package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(119, 189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:rdesktop");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/05/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2007.1", reference:"rdesktop-1.5.0-1.2mdv2007.1", yank:"mdv")) flag++;
    
    if (rpm_check(release:"MDK2008.0", reference:"rdesktop-1.5.0-3.1mdv2008.0", yank:"mdv")) flag++;
    
    if (rpm_check(release:"MDK2008.1", reference:"rdesktop-1.5.0-4.1mdv2008.1", yank:"mdv")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_RDESKTOP-5271.NASL
    descriptionMultiple problems have been fixed in rdesktop. CVE-2008-1801, CVE-2008-1802 and CVE-2008-1803 have been assigned to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id33898
    published2008-08-15
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33898
    titleopenSUSE 10 Security Update : rdesktop (rdesktop-5271)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update rdesktop-5271.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(33898);
      script_version ("1.10");
      script_cvs_date("Date: 2019/10/25 13:36:33");
    
      script_cve_id("CVE-2008-1801", "CVE-2008-1802", "CVE-2008-1803");
    
      script_name(english:"openSUSE 10 Security Update : rdesktop (rdesktop-5271)");
      script_summary(english:"Check for the rdesktop-5271 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple problems have been fixed in rdesktop. CVE-2008-1801,
    CVE-2008-1802 and CVE-2008-1803 have been assigned to this issue."
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected rdesktop package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(119, 189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:rdesktop");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/05/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/08/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE10\.2|SUSE10\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.2 / 10.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE10.2", reference:"rdesktop-1.5.0-24") ) flag++;
    if ( rpm_check(release:"SUSE10.3", reference:"rdesktop-1.5.0-79.2") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "rdesktop");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0575.NASL
    descriptionAn updated rdesktop package that fixes a security issue is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. rdesktop is an open source client for Microsoft Windows NT Terminal Server and Microsoft Windows 2000 and 2003 Terminal Services, capable of natively using the Remote Desktop Protocol (RDP) to present the user
    last seen2020-06-01
    modified2020-06-02
    plugin id33578
    published2008-07-25
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33578
    titleRHEL 5 : rdesktop (RHSA-2008:0575)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200806-04.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200806-04 (rdesktop: Multiple vulnerabilities) An anonymous researcher reported multiple vulnerabilities in rdesktop via iDefense Labs: An integer underflow error exists in the function iso_recv_msg() in the file iso.c which can be triggered via a specially crafted RDP request, causing a heap-based buffer overflow (CVE-2008-1801). An input validation error exists in the function process_redirect_pdu() in the file rdp.c which can be triggered via a specially crafted RDP redirect request, causing a BSS-based buffer overflow (CVE-2008-1802). An integer signedness error exists in the function xrealloc() in the file rdesktop.c which can be be exploited to cause a heap-based buffer overflow (CVE-2008-1803). Impact : An attacker could exploit these vulnerabilities by enticing a user to connect to a malicious RDP server thereby allowing the attacker to execute arbitrary code or cause a Denial of Service. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id33189
    published2008-06-16
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33189
    titleGLSA-200806-04 : rdesktop: Multiple vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1573.NASL
    descriptionSeveral remote vulnerabilities have been discovered in rdesktop, a Remote Desktop Protocol client. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-1801 Remote exploitation of an integer underflow vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user. - CVE-2008-1802 Remote exploitation of a BSS overflow vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user. - CVE-2008-1803 Remote exploitation of an integer signedness vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user.
    last seen2020-06-01
    modified2020-06-02
    plugin id32307
    published2008-05-13
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32307
    titleDebian DSA-1573-1 : rdesktop - several vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-3985.NASL
    description - Tue May 13 2008 Soren Sandmann <sandmann at redhat.com> - 1.6.0-1 - Update to 1.6.0 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id32349
    published2008-05-16
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/32349
    titleFedora 7 : rdesktop-1.6.0-1.fc7 (2008-3985)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_RDESKTOP-5272.NASL
    descriptionMultiple problems have been fixed in rdesktop. CVE-2008-1801 / CVE-2008-1802 / CVE-2008-1803 have been assigned to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id33889
    published2008-08-14
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33889
    titleSuSE 10 Security Update : rdesktop (ZYPP Patch Number 5272)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-646-1.NASL
    descriptionIt was discovered that rdesktop did not properly validate the length of packet headers when processing RDP requests. If a user were tricked into connecting to a malicious server, an attacker could cause a denial of service or possible execute arbitrary code with the privileges of the user. (CVE-2008-1801) Multiple buffer overflows were discovered in rdesktop when processing RDP redirect requests. If a user were tricked into connecting to a malicious server, an attacker could cause a denial of service or possible execute arbitrary code with the privileges of the user. (CVE-2008-1802) It was discovered that rdesktop performed a signed integer comparison when reallocating dynamic buffers which could result in a heap-based overflow. If a user were tricked into connecting to a malicious server, an attacker could cause a denial of service or possible execute arbitrary code with the privileges of the user. (CVE-2008-1802). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id38000
    published2009-04-23
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38000
    titleUbuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : rdesktop vulnerabilities (USN-646-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2008-0575.NASL
    descriptionFrom Red Hat Security Advisory 2008:0575 : An updated rdesktop package that fixes a security issue is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. rdesktop is an open source client for Microsoft Windows NT Terminal Server and Microsoft Windows 2000 and 2003 Terminal Services, capable of natively using the Remote Desktop Protocol (RDP) to present the user
    last seen2020-06-01
    modified2020-06-02
    plugin id67719
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67719
    titleOracle Linux 5 : rdesktop (ELSA-2008-0575)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-3886.NASL
    description - Tue May 13 2008 Soren Sandmann <sandmann at redhat.com> - 1.6.0-1 - Update to 1.6.0 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id32338
    published2008-05-16
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/32338
    titleFedora 9 : rdesktop-1.6.0-1.fc9 (2008-3886)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20080724_RDESKTOP_ON_SL5_X.NASL
    descriptionAn integer underflow and integer signedness issue were discovered in the rdesktop. If an attacker could convince a victim to connect to a malicious RDP server, the attacker could cause the victim
    last seen2020-06-01
    modified2020-06-02
    plugin id60454
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60454
    titleScientific Linux Security Update : rdesktop on SL5.x i386/x86_64
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2008-0575.NASL
    descriptionAn updated rdesktop package that fixes a security issue is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. rdesktop is an open source client for Microsoft Windows NT Terminal Server and Microsoft Windows 2000 and 2003 Terminal Services, capable of natively using the Remote Desktop Protocol (RDP) to present the user
    last seen2020-06-01
    modified2020-06-02
    plugin id43696
    published2010-01-06
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43696
    titleCentOS 5 : rdesktop (CESA-2008:0575)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-3917.NASL
    description - Tue May 13 2008 Soren Sandmann <sandmann at redhat.com> - 1.6.0-1 - Update to 1.6.0 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id32343
    published2008-05-16
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/32343
    titleFedora 8 : rdesktop-1.6.0-1.fc8 (2008-3917)

Oval

accepted2013-04-29T04:22:21.742-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptionInteger signedness error in the xrealloc function (rdesktop.c) in RDesktop 1.5.0 allows remote attackers to execute arbitrary code via unknown parameters that trigger a heap-based overflow. NOTE: the role of the channel_process function was not specified by the original researcher.
familyunix
idoval:org.mitre.oval:def:9800
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleInteger signedness error in the xrealloc function (rdesktop.c) in RDesktop 1.5.0 allows remote attackers to execute arbitrary code via unknown parameters that trigger a heap-based overflow. NOTE: the role of the channel_process function was not specified by the original researcher.
version18

Redhat

advisories
bugzilla
id445829
titleCVE-2008-1803 rdesktop: channel_process() Integer Signedness Vulnerability
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 5 is installed
      ovaloval:com.redhat.rhba:tst:20070331005
    • commentrdesktop is earlier than 0:1.4.1-6
      ovaloval:com.redhat.rhsa:tst:20080575001
    • commentrdesktop is signed with Red Hat redhatrelease key
      ovaloval:com.redhat.rhsa:tst:20080575002
rhsa
idRHSA-2008:0575
released2008-07-24
severityModerate
titleRHSA-2008:0575: rdesktop security update (Moderate)
rpms
  • rdesktop-0:1.4.1-6
  • rdesktop-debuginfo-0:1.4.1-6

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 29097 CVE(CAN) ID: CVE-2008-1801,CVE-2008-1802,CVE-2008-1803 rdesktop是实现RDP协议的开源客户端,允许基于Unix的用户登录到Windows终端服务器。 rdesktop负责重新分配动态缓冲区的代码(channel_process())中存在堆溢出漏洞。rdesktop的xrealloc()函数使用有符比较判断所请求的分配大小是否小于1。如果小于1的话,这个函数错误的将分配大小设置为1,这导致分配了错误大小的堆缓冲区,之后会被溢出。 rdesktop负责在RDP重新定向请求中执行读操作的代码(process_redirect_pdu())存在缓冲区溢出。在解析重新定向请求时,rdesktop客户端从请求报文中读取了一些32位的整数,然后使用这些整数控制读入到静态分配缓冲区中的字节数,这可能会溢出一些位于BSS部分中的缓冲区。 rdesktop负责在RDP请求中执行读操作的代码(iso_recv_msg())存在堆溢出漏洞。在读取请求时,直接从报文中获得了代表之后跟随字节数的16位整数,然后将这个值递减4并用于计算将要读取到堆缓冲区中的字节数。上述减法运算可能下溢,之后导致堆溢出。 rdesktop 1.5.0 rdesktop -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/rdp.c?annotate=1.102&amp;pathrev=HEAD#l1337 target=_blank>http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/rdp.c?annotate=1.102&amp;pathrev=HEAD#l1337</a>
idSSV:3271
last seen2017-11-19
modified2008-05-10
published2008-05-10
reporterRoot
titlerdesktop多个缓冲区溢出漏洞