CVE-2008-1802
published 2008-05-12CVE-2008-1802: Buffer overflow in the process_redirect_pdu (rdp.c) function in rdesktop 1.5.0 allows remote attackers to execute arbitrary code via a Remote Desktop Protocol…
PriorityP357critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
12.98%
95.8th percentile
Buffer overflow in the process_redirect_pdu (rdp.c) function in rdesktop 1.5.0 allows remote attackers to execute arbitrary code via a Remote Desktop Protocol (RDP) redirect request with modified length fields.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | rdesktop | < rdesktop 1.5.0-4+cvs20071006 (bookworm) | rdesktop 1.5.0-4+cvs20071006 (bookworm) |
| rdesktop | rdesktop | — | — |
| rdesktop | rdesktop | >= 0 < 1.5.0-4+cvs20071006 | 1.5.0-4+cvs20071006 |
| rdesktop | rdesktop | >= 0 < 1.5.0-4+cvs20071006 | 1.5.0-4+cvs20071006 |
| rdesktop | rdesktop | >= 0 < 1.5.0-4+cvs20071006 | 1.5.0-4+cvs20071006 |
| rdesktop | rdesktop | >= 0 < 1.5.0-4+cvs20071006 | 1.5.0-4+cvs20071006 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x04\x75 (PDU TYPE == 0x4 == PDU_REDIRECT)
bytes↗
\xff\xff\xff\xff (len of g_redirect_cookie — overflow trigger)
bytes↗
Evil RDP redirect PDU: \x03\x00\x01\x47\x02\xf0\x80\x68\x00\x01\x03\xeb\x70\x81\x38\x01\x00\x10\x00\xc5\x32\x04\x75\xb7\xda\xf8\x43\x01\x00\x00\x00\x01\x00\x00\x00\xff\xff\xff\xff + 0x41*64
- →Detect inbound RDP redirect PDUs (PDU type byte 0x04 at the expected offset) originating from a server toward a client on TCP/3389, especially where the length field for the redirect cookie is abnormally large (e.g., 0xFFFFFFFF). ↗
- →Only rdesktop 1.5.0 is vulnerable (Session Directory / redirect support was introduced in 1.5.0); rdesktop versions shipped with RHEL 2.1, 3, 4, and 5 are not affected. ↗
- →The exploit PoC sends a specific sequence of seven RDP handshake packets followed by the malicious redirect PDU; network signatures should look for the evil PDU byte pattern after a completed RDP negotiation on port 3389. ↗
- ·The vulnerability is exploitable only when the victim rdesktop client connects to a malicious RDP server (attacker-controlled); it is not exploitable server-side. ↗
- ·RHEL 2.1, 3, 4, and 5 ship rdesktop versions prior to 1.5.0 and are not affected; detection/patching efforts should focus on systems running rdesktop 1.5.0 specifically. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
vendor_ubuntu9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-33j3-x3m6-jp5m: Buffer overflow in the process_redirect_pdu (rdp
ghsa_unreviewed·2022-05-01
CVE-2008-1802 [HIGH] CWE-119 GHSA-33j3-x3m6-jp5m: Buffer overflow in the process_redirect_pdu (rdp
Buffer overflow in the process_redirect_pdu (rdp.c) function in rdesktop 1.5.0 allows remote attackers to execute arbitrary code via a Remote Desktop Protocol (RDP) redirect request with modified length fields.
OSV
CVE-2008-1802: Buffer overflow in the process_redirect_pdu (rdp
osv·2008-05-12·CVSS 9.3
CVE-2008-1802 [CRITICAL] CVE-2008-1802: Buffer overflow in the process_redirect_pdu (rdp
Buffer overflow in the process_redirect_pdu (rdp.c) function in rdesktop 1.5.0 allows remote attackers to execute arbitrary code via a Remote Desktop Protocol (RDP) redirect request with modified length fields.
Ubuntu
rdesktop vulnerabilities
vendor_ubuntu·2008-09-18·CVSS 9.3
CVE-2008-1802 [CRITICAL] rdesktop vulnerabilities
Title: rdesktop vulnerabilities
Summary: rdesktop vulnerabilities
It was discovered that rdesktop did not properly validate the length
of packet headers when processing RDP requests. If a user were tricked
into connecting to a malicious server, an attacker could cause a
denial of service or possible execute arbitrary code with the
privileges of the user. (CVE-2008-1801)
Multiple buffer overflows were discovered in rdesktop when processing
RDP redirect requests. If a user were tricked into connecting to a
malicious server, an attacker could cause a denial of service or
possible execute arbitrary code with the privileges of the user.
(CVE-2008-1802)
It was discovered that rdesktop performed a signed integer comparison
when reallocating dynamic buffers which could result in a heap-based
o
Red Hat
rdesktop: process_redirect_pdu() BSS Overflow Vulnerability
vendor_redhat·2008-05-07·CVSS 9.3
CVE-2008-1802 [CRITICAL] rdesktop: process_redirect_pdu() BSS Overflow Vulnerability
rdesktop: process_redirect_pdu() BSS Overflow Vulnerability
Buffer overflow in the process_redirect_pdu (rdp.c) function in rdesktop 1.5.0 allows remote attackers to execute arbitrary code via a Remote Desktop Protocol (RDP) redirect request with modified length fields.
Statement: Not vulnerable. This issue did not affect the versions of rdesktop as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
Debian
CVE-2008-1802: rdesktop - Buffer overflow in the process_redirect_pdu (rdp.c) function in rdesktop 1.5.0 a...
vendor_debian·2008·CVSS 9.3
CVE-2008-1802 [CRITICAL] CVE-2008-1802: rdesktop - Buffer overflow in the process_redirect_pdu (rdp.c) function in rdesktop 1.5.0 a...
Buffer overflow in the process_redirect_pdu (rdp.c) function in rdesktop 1.5.0 allows remote attackers to execute arbitrary code via a Remote Desktop Protocol (RDP) redirect request with modified length fields.
Scope: local
bookworm: resolved (fixed in 1.5.0-4+cvs20071006)
bullseye: resolved (fixed in 1.5.0-4+cvs20071006)
forky: resolved (fixed in 1.5.0-4+cvs20071006)
sid: resolved (fixed in 1.5.0-4+cvs20071006)
trixie: resolved (fixed in 1.5.0-4+cvs20071006)
No detection rules found.
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=697http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/rdp.c?r1=1.101&r2=1.102&pathrev=HEADhttp://secunia.com/advisories/30118http://secunia.com/advisories/30248http://secunia.com/advisories/30713http://secunia.com/advisories/31928http://security.gentoo.org/glsa/glsa-200806-04.xmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-240708-1http://support.avaya.com/elmodocs2/security/ASA-2008-360.htmhttp://www.debian.org/security/2008/dsa-1573http://www.mandriva.com/security/advisories?name=MDVSA-2008:101http://www.redhat.com/archives/fedora-package-announce/2008-May/msg00244.htmlhttp://www.redhat.com/archives/fedora-package-announce/2008-May/msg00270.htmlhttp://www.redhat.com/archives/fedora-package-announce/2008-May/msg00296.htmlhttp://www.securityfocus.com/bid/29097http://www.securitytracker.com/id?1019991http://www.ubuntu.com/usn/usn-646-1http://www.vupen.com/english/advisories/2008/1467/referenceshttp://www.vupen.com/english/advisories/2008/2403https://exchange.xforce.ibmcloud.com/vulnerabilities/42275https://www.exploit-db.com/exploits/5585http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=697http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/rdp.c?r1=1.101&r2=1.102&pathrev=HEADhttp://secunia.com/advisories/30118http://secunia.com/advisories/30248http://secunia.com/advisories/30713http://secunia.com/advisories/31928http://security.gentoo.org/glsa/glsa-200806-04.xmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-240708-1http://support.avaya.com/elmodocs2/security/ASA-2008-360.htmhttp://www.debian.org/security/2008/dsa-1573http://www.mandriva.com/security/advisories?name=MDVSA-2008:101http://www.redhat.com/archives/fedora-package-announce/2008-May/msg00244.htmlhttp://www.redhat.com/archives/fedora-package-announce/2008-May/msg00270.htmlhttp://www.redhat.com/archives/fedora-package-announce/2008-May/msg00296.htmlhttp://www.securityfocus.com/bid/29097http://www.securitytracker.com/id?1019991http://www.ubuntu.com/usn/usn-646-1http://www.vupen.com/english/advisories/2008/1467/referenceshttp://www.vupen.com/english/advisories/2008/2403https://exchange.xforce.ibmcloud.com/vulnerabilities/42275https://www.exploit-db.com/exploits/5585
2008-05-12
Published