Red Hat Bugzilla – Bug 445825
CVE-2008-1801 rdesktop: iso_recv_msg() Integer Underflow Vulnerability
Last modified: 2016-03-04 07:14:04 EST
iDefense published advisory affecting rdesktop:
Remote exploitation of an integer underflow vulnerability in rdesktop, as
included in various vendors' operating system distributions, allows attackers
to execute arbitrary code with the privileges of the logged-in user.
The vulnerability exists within the code responsible for reading in an RDP
request. When reading a request, a 16-bit integer value that represents the
number of bytes that follow is taken from the packet. This value is then
decremented by 4, and used to calculate how many bytes to read into a heap
buffer. The subtraction operation can underflow, which will then lead to the
heap buffer being overflowed.
Exploitation of this vulnerability results in the execution of arbitrary code
with the privileges of the logged in user. In order to exploit this
vulnerability, an attacker must persuade a targeted user to connect to a
malicious RDP server.
Upstream released version 1.6.0 which address this issue:
rdesktop-1.6.0-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
rdesktop-1.6.0-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
rdesktop-1.6.0-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Created attachment 306783 [details]
As for CVSSv2 score, two possibilities should be considered. User needs to be
convinced to connect to untrusted RDP server for this issue to be exploited.
This is lot more likely to happen if malicious RDP server is within some local
network (AV:A/AC:M) and not so likely for random RDP server in the Internet
(AV:N/AC:H), hence Internet vector should have higher access complexity.
AV:A/AC:M results in higher base score of:
This issue was addressed in:
Red Hat Enterprise Linux: