An exploitable code execution vulnerability exists in the authentication functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle attack to trigger this vulnerability.
The vulnerability is located in the license server handling. The license message sent by the server contains a length field, which is not correctly verified by FreeRDP. For internal purposes, the library decreases this value by 4, if the server is sent a value inferior to 3, this will result in a negative value and the writing of packet contents outside of the allocated buffer in memory. This vulnerability can allow the execution of arbitrary code on the FreeRDP client side.
Created freerdp tracking bugs for this issue:
Affects: epel-6 [bug 1475247]
Affects: fedora-all [bug 1475246]
Created freerdp1.2 tracking bugs for this issue:
Affects: fedora-all [bug 1475245]
Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.