file : NeutrinoRDP/libfreerdp-core/credssp.c
function : credssp_write_ts_password_creds , credssp_sizeof_ts_password_creds

issues causes: length2 will cause memory out of bounds, unicode.c:118-> malloc 28byte（wchar, include the terminator）, but read 52byte, read memory out of bounds, it should not be length 2.

function code: int credssp_sizeof_ts_password_creds(rdpCredssp* credssp) { int length = 0;

  /*
length += ber_sizeof_sequence_octet_string(credssp->ntlmssp->domain.length * 2);
length += ber_sizeof_sequence_octet_string(credssp->ntlmssp->username.length * 2);
length += ber_sizeof_sequence_octet_string(credssp->ntlmssp->password.length * 2);
  */
length += ber_sizeof_sequence_octet_string(credssp->ntlmssp->domain.length);
length += ber_sizeof_sequence_octet_string(credssp->ntlmssp->username.length);
length += ber_sizeof_sequence_octet_string(credssp->ntlmssp->password.length);

return length;

} int credssp_write_ts_password_creds(rdpCredssp credssp, STREAM s) { int size = 0; int innerSize = credssp_sizeof_ts_password_creds(credssp);

if (innerSize > stream_get_left(s))
{
    printf("\033[91m[ ERROR ] Not enough space allocated for ts_password_creds\033[0m");
}

/* TSPasswordCreds (SEQUENCE) */
size += ber_write_sequence_tag(s, innerSize);

/* [0] domainName (OCTET STRING) */
//size += ber_write_sequence_octet_string(s, 0, credssp->ntlmssp->domain.data, credssp->ntlmssp->domain.length * 2);
    size += ber_write_sequence_octet_string(s, 0, credssp->ntlmssp->domain.data, credssp->ntlmssp->domain.length);

/* [1] userName (OCTET STRING) */
//size += ber_write_sequence_octet_string(s, 1, credssp->ntlmssp->username.data, credssp->ntlmssp->username.length * 2);
    size += ber_write_sequence_octet_string(s, 1, credssp->ntlmssp->username.data, credssp->ntlmssp->username.length);

/* [2] password (OCTET STRING) */
//size += ber_write_sequence_octet_string(s, 2, credssp->ntlmssp->password.data, credssp->ntlmssp->password.length * 2);
    size += ber_write_sequence_octet_string(s, 2, credssp->ntlmssp->password.data, credssp->ntlmssp->password.length);

return size;

}

analyze: ==9541==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300007733c at pc 0x7ffff6e91733 bp 0x7ffff21630c0 sp 0x7ffff2162868 READ of size 52 at 0x60300007733c thread T1

0 0x7ffff6e91732 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)

#1 0x7fffed1ba209 in ber_write_octet_string /NeutrinoRDP/libfreerdp-core/ber.c:350
#2 0x7fffed1c6cf6 in credssp_write_ts_password_creds /NeutrinoRDP/libfreerdp-core/credssp.c:361
#3 0x7fffed1c6eb7 in credssp_write_ts_credentials /NeutrinoRDP/libfreerdp-core/credssp.c:397
#4 0x7fffed1c6f40 in credssp_encode_ts_credentials /NeutrinoRDP/libfreerdp-core/credssp.c:417
#5 0x7fffed1c6848 in credssp_authenticate /NeutrinoRDP/libfreerdp-core/credssp.c:213
#6 0x7fffed1e7a6f in transport_connect_nla /NeutrinoRDP/libfreerdp-core/transport.c:211
#7 0x7fffed1de250 in rdp_client_connect /NeutrinoRDP/libfreerdp-core/connection.c:98
#8 0x7fffed1d5669 in freerdp_connect /NeutrinoRDP/libfreerdp-core/freerdp.c:48

0x60300007733c is located 0 bytes to the right of 28-byte region [0x603000077320,0x60300007733c) allocated by thread T1 here:

0 0x7ffff6ef6b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)

#1 0x7ffff4dcf822 in xmalloc /NeutrinoRDP/libfreerdp-utils/memory.c:55
#2 0x7ffff4dd2f3a in freerdp_uniconv_out /NeutrinoRDP/libfreerdp-utils/unicode.c:118
#3 0x7fffed1c77ad in ntlmssp_set_username /NeutrinoRDP/libfreerdp-core/ntlmssp.c:166
#4 0x7fffed1c6470 in credssp_ntlmssp_init /NeutrinoRDP/libfreerdp-core/credssp.c:103
#5 0x7fffed1c65ea in credssp_authenticate /NeutrinoRDP/libfreerdp-core/credssp.c:166
#6 0x7fffed1e7a6f in transport_connect_nla /NeutrinoRDP/libfreerdp-core/transport.c:211
#7 0x7fffed1de250 in rdp_client_connect /NeutrinoRDP/libfreerdp-core/connection.c:98
#8 0x7fffed1d5669 in freerdp_connect /NeutrinoRDP/libfreerdp-core/freerdp.c:48

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) Shadow bytes around the buggy address: 0x0c0680006e10: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fd 0x0c0680006e20: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 0x0c0680006e30: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x0c0680006e40: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fa 0x0c0680006e50: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00 =>0x0c0680006e60: 00 fa fa fa 00 00 00[04]fa fa 00 00 00 00 fa fa 0x0c0680006e70: fd fd fd fa fa fa 00 00 00 fa fa fa 00 00 00 06 0x0c0680006e80: fa fa fd fd fd fd fa fa 00 00 00 fa fa fa fd fd 0x0c0680006e90: fd fd fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 0x0c0680006ea0: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0680006eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb

neutrinolabs / NeutrinoRDP

fix heap-buffer-overflow issues #26

0 0x7ffff6e91732 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)

0 0x7ffff6ef6b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)