Summary

In FreeRDP < 2.4.0 (Windows), a malicious RDP server could remotely read arbitrary files from a client’s system through the clipboard extension (enabled by default).

Details

The bug resided in client/Windows/wf_cliprdr.c, in the wf_cliprdr_server_file_contents_request function.

When the client received a File Contents Request PDU through the CLIPRDR virtual channel, the attacker controlled the listIndex field (DWORD). Then, the client would either send the size of a copied file back to the server, or its contents.

When dwFlags == FILECONTENTS_RANGE:

wf_cliprdr_get_file_contents(
  clipboard->file_names[fileContentsRequest->listIndex],
  pData,
  fileContentsRequest->nPositionLow,
  fileContentsRequest->nPositionHigh,
  cbRequested,
  &uSize
);

An attacker could set listIndex to a value greater than the actual length of the file_names array. If they managed to find an offset to a valid address in the heap after file_names that points to a string they control, they could read arbitrary files on the client’s system, because the client would read the contents of the file and send them back to the server.