cbcvebase.
CVE-2008-1802
published 2008-05-12

CVE-2008-1802: Buffer overflow in the process_redirect_pdu (rdp.c) function in rdesktop 1.5.0 allows remote attackers to execute arbitrary code via a Remote Desktop Protocol…

PriorityP357critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
12.98%
95.8th percentile
Buffer overflow in the process_redirect_pdu (rdp.c) function in rdesktop 1.5.0 allows remote attackers to execute arbitrary code via a Remote Desktop Protocol (RDP) redirect request with modified length fields.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianrdesktop< rdesktop 1.5.0-4+cvs20071006 (bookworm)rdesktop 1.5.0-4+cvs20071006 (bookworm)
rdesktoprdesktop
rdesktoprdesktop>= 0 < 1.5.0-4+cvs200710061.5.0-4+cvs20071006
rdesktoprdesktop>= 0 < 1.5.0-4+cvs200710061.5.0-4+cvs20071006
rdesktoprdesktop>= 0 < 1.5.0-4+cvs200710061.5.0-4+cvs20071006
rdesktoprdesktop>= 0 < 1.5.0-4+cvs200710061.5.0-4+cvs20071006

Detection & IOCsextracted from sources · hover to see the quote

port3389
versionrdesktop 1.5.0
bytes
\x04\x75 (PDU TYPE == 0x4 == PDU_REDIRECT)
bytes
\xff\xff\xff\xff (len of g_redirect_cookie — overflow trigger)
bytes
Evil RDP redirect PDU: \x03\x00\x01\x47\x02\xf0\x80\x68\x00\x01\x03\xeb\x70\x81\x38\x01\x00\x10\x00\xc5\x32\x04\x75\xb7\xda\xf8\x43\x01\x00\x00\x00\x01\x00\x00\x00\xff\xff\xff\xff + 0x41*64
  • Detect inbound RDP redirect PDUs (PDU type byte 0x04 at the expected offset) originating from a server toward a client on TCP/3389, especially where the length field for the redirect cookie is abnormally large (e.g., 0xFFFFFFFF).
  • Only rdesktop 1.5.0 is vulnerable (Session Directory / redirect support was introduced in 1.5.0); rdesktop versions shipped with RHEL 2.1, 3, 4, and 5 are not affected.
  • The exploit PoC sends a specific sequence of seven RDP handshake packets followed by the malicious redirect PDU; network signatures should look for the evil PDU byte pattern after a completed RDP negotiation on port 3389.
  • ·The vulnerability is exploitable only when the victim rdesktop client connects to a malicious RDP server (attacker-controlled); it is not exploitable server-side.
  • ·RHEL 2.1, 3, 4, and 5 ship rdesktop versions prior to 1.5.0 and are not affected; detection/patching efforts should focus on systems running rdesktop 1.5.0 specifically.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
vendor_ubuntu9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.