CVE-2021-37594 in FreeRDP — Remote Memory Leak
In FreeRDP < 2.4.0 (Windows), a malicious RDP server can remotely leak memory from a client’s system through the clipboard extension (enabled by default).
The bug resides in
client/Windows/wf_cliprdr.c, in the
When the client receives a File Contents Request PDU through the
CLIPRDR virtual channel, the attacker controls the
listIndex field (DWORD). Then, the client will either send the size of a copied file back to the server, or its contents.
dwFlags == FILECONTENTS_SIZE:
*((UINT32*)&pData) = clipboard->fileDescriptor[fileContentsRequest->listIndex]->nFileSizeLow; *((UINT32*)&pData) = clipboard->fileDescriptor[fileContentsRequest->listIndex]->nFileSizeHigh;
An attacker can set
listIndex to a value greater than the actual length of the
fileDescriptor array. If they manage to find an offset to a valid pointer in the heap after
fileDescriptor, they can leak a QWORD that is sent back to the server. This allows, for instance, to remotely leak client ASLR.