CVE-2021-37595 in FreeRDP — Remote Arbitrary File Read
In FreeRDP < 2.4.0 (Windows), a malicious RDP server can remotely read arbitrary files from a client’s system through the clipboard extension (enabled by default).
The bug resides in
client/Windows/wf_cliprdr.c, in the
When the client receives a File Contents Request PDU through the
CLIPRDR virtual channel, the attacker controls the
listIndex field (DWORD). Then, the client will either send the size of a copied file back to the server, or its contents.
dwFlags == FILECONTENTS_RANGE:
wf_cliprdr_get_file_contents( clipboard->file_names[fileContentsRequest->listIndex], pData, fileContentsRequest->nPositionLow, fileContentsRequest->nPositionHigh, cbRequested, &uSize );
An attacker can set
listIndex to a value greater than the actual length of the
file_names array. If they manage to find an offset to a valid address in the heap after
file_names that points to a string they control, they can read arbitrary files on the client’s system, because the client will read the contents of the file and send them back to the server.