iDefense published advisory affecting rdesktop: DESCRIPTION: Remote exploitation of an integer underflow vulnerability in rdesktop, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the logged-in user. The vulnerability exists within the code responsible for reading in an RDP request. When reading a request, a 16-bit integer value that represents the number of bytes that follow is taken from the packet. This value is then decremented by 4, and used to calculate how many bytes to read into a heap buffer. The subtraction operation can underflow, which will then lead to the heap buffer being overflowed. ANALYSIS: Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the logged in user. In order to exploit this vulnerability, an attacker must persuade a targeted user to connect to a malicious RDP server. Reference: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=696 Upstream patch: http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/iso.c?r1=1.19&r2=1.20
Upstream released version 1.6.0 which address this issue: http://sourceforge.net/mailarchive/message.php?msg_name=20080511065217.GA24455%40cse.unsw.EDU.AU
rdesktop-1.6.0-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
rdesktop-1.6.0-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
rdesktop-1.6.0-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Created attachment 306783 [details] Public PoC http://www.milw0rm.com/exploits/5561
As for CVSSv2 score, two possibilities should be considered. User needs to be convinced to connect to untrusted RDP server for this issue to be exploited. This is lot more likely to happen if malicious RDP server is within some local network (AV:A/AC:M) and not so likely for random RDP server in the Internet (AV:N/AC:H), hence Internet vector should have higher access complexity. AV:A/AC:M results in higher base score of: 5.4/AV:A/AC:M/Au:N/C:P/I:P/A:P
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0725.html http://rhn.redhat.com/errata/RHSA-2008-0575.html http://rhn.redhat.com/errata/RHSA-2008-0576.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3917 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-3886