Red Hat Bugzilla – Bug 445826
CVE-2008-1802 rdesktop: process_redirect_pdu() BSS Overflow Vulnerability
Last modified: 2008-06-23 12:39:16 EDT
iDefense published advisory affecting rdesktop:
Remote exploitation of a BSS overflow vulnerability in rdesktop, as included in
various vendors' operating system distributions, allows attackers to execute
arbitrary code with the privileges of the logged-in user.
The vulnerability exists within the code responsible for reading in an RDP
redirect request. This request is used to redirect an RDP connection from one
server to another. When parsing the redirect request, the rdesktop client reads
several 32-bit integers from the request packet. These integers are then used
to control the number of bytes read into statically allocated buffers. This
results in several buffers located in the BSS section being overflowed, which
can lead to the execution of arbitrary code.
Exploitation of this vulnerability results in the execution of arbitrary code
with the privileges of the logged in user. In order to exploit this
vulnerability, an attacker must persuade a targeted user to connect to a
malicious RDP server.
Upstream released version 1.6.0 which address this issue:
rdesktop-1.6.0-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
rdesktop-1.6.0-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
rdesktop-1.6.0-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Created attachment 306785 [details]
Could you clarify the status for the various RHELs?
This vulnerability is in 1.5 which we have not shipped in any RHEL.
This vulnerability occurs in the Session Directory code that was only introduced
in upstream rdesktop version 1.5.0:
[ ... ]
* Session Directory support (patch from Brian Chapeau)
This issue did not affect the versions of rdesktop as shipped with Red Hat
Enterprise Linux 3, 4, or 5.
This issue was addressed in: