rdesktop v1.8.6 - with security fixes but doesn't connect to xrdp
Hi Laszlo, can you suggest how I might proceed to debug this issue(s)
with the latest rdesktop code. I am happy to spend some time to debug
things but I don't have the time needed to understand the protocol and
trace down the problem with out help.
Should I just raise a debian bug and use the old version for the moment?
Otherwise I'm planning to raise an issue on the github site. Please cc
this to an appropriate mailing list.
Thanks
Andrew
I just built a debian package of the v1.8.6 with out and problems
using your debian package files from 1.8.4. and was thinking of
suggesting that you switch to this as it has *many* security fixes.
The trouble is that when I try to validate it against xrdp server
package it failed with a buffer overrun check failure!
See below.
Debugging 1.8 branch requiring
...
b3e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b3f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b420 00 00 00 00 00 00 00 00 00 00 ..........
NOT IMPLEMENTED: PDU 8
ERROR: rdp.c:128: rdp_recv(), unexpected stream overrun0000 03 00 01
b5 02 f0 80 68 00 01 03 eb 70 81 a6 08 .......h....p...
0010 00 00 00 c1 81 89 2d 9d 52 2f 7c 2a b4 48 de fe ......-.R/|*.H..
0020 56 21 7b fd 64 d2 f5 a5 f0 30 4f 7c bf 45 4b 52 V!{.d....0O|.EKR
0030 0d 1c ed 64 12 81 6e 5b 31 98 49 b7 32 e7 e6 fb ...d..n[1.I.2...
0040 3e eb e7 ac 73 c4 ae 59 a6 8a d1 e2 cd f1 5a ae >...s..Y......Z.
0050 bf cd 86 a6 4c 87 d3 ba 43 96 6b ac 63 4f ec 66 ....L...C.k.cO.f
0060 22 94 b9 07 60 e5 46 aa 8b 98 17 f6 42 56 09 99 "...`.F.....BV..
0070 03 71 f3 1b a2 8e 9e ca d6 f3 02 5f b3 85 ba 10 .q........._....
0080 f7 3c 7b 7c 89 83 2e bd 61 41 02 6c 2d aa 0d 8b .<{|....aA.l-...
0090 d7 4b 51 cc 00 1c 31 36 5e 6d f0 64 1d 48 d0 05 .KQ...16^m.d.H..
00a0 d7 8a 6a eb 4d ce 85 a6 e9 d1 08 51 ac 13 5f 9e ..j.M......Q.._.
00b0 40 99 42 ee 94 9e ee cc 13 58 02 b2 ff 84 c7 bd @.B......X......
00c0 31 6e 6d d7 3b c5 46 ab ad d4 6e ed 9a 42 e8 80 1nm.;.F...n..B..
00d0 21 75 73 8f 09 1b 12 aa 97 23 56 2b 42 c3 e9 54 !us......#V+B..T
00e0 11 15 8b 90 fa a4 65 f6 9a e9 98 e8 0f c3 f5 80 ......e.........
00f0 a2 c8 65 69 09 ab 97 45 cd b0 2d ba 12 95 01 a3 ..ei...E..-.....
0100 1e 98 85 f9 61 35 2c b1 1e 17 e6 8a 2f 68 17 8d ....a5,...../h..
0110 ed dd b0 16 86 51 16 1a e5 88 6a 56 61 8f d1 ad .....Q....jVa...
0120 18 c9 49 5d bb db 89 a3 5c 8e ad 64 cf 13 c1 d9 ..I]....\..d....
0130 3b fa 81 d8 7b e1 cd 84 c0 37 a8 6e a7 7a a1 50 ;...{....7.n.z.P
0140 88 8a 80 15 9c ec 46 05 c2 47 43 5c ef 0e 7d 2f ......F..GC\..}/
0150 b8 77 68 63 98 a5 07 95 a6 9c c1 49 42 b4 55 b1 .whc.......IB.U.
0160 f7 c5 92 9e 7d 50 ef df 19 4e 2b 4a 28 1e 7e bc ....}P...N+J(.~.
0170 dc 59 75 10 46 a6 43 f2 41 fa 4b 24 bd 54 10 29 .Yu.F.C.A.K$.T.)
0180 ba 29 3b 3d 21 25 c8 f2 cb 07 f3 49 9b c7 5b fe .);=!%.....I..[.
0190 ff b5 23 7f f9 f1 dc 60 69 2a d4 94 6f 3f aa 10 ..#....`i*..o?..
01a0 b5 42 df 8e 74 bf 71 9b fd 0a 82 3e aa 3f 1a 18 .B..t.q....>.?..
01b0 8f bc 2e 81 73 ....s
Below I include the details from the github release page:
https://github.com/rdesktop/rdesktop/releases
>From the rdesktop github release page:
--------------------------------------
v1.8.5
This is a security release to address various buffer overflow and
overrun issues in the rdesktop protocol handling. rdesktop will now
detect any attempts to access invalid areas and refuse to continue.
Users are adviced to upgrade as soon as possible.
A big thank you to Kaspersky Lab and National Cyber Security Centre
for identifying these issues.
v1.8.6
This is a small bug fix release for rdesktop 1.8.5. An issue was
discovered soon after release where it was impossible to connect to
some servers. This issue has now been fixed, but otherwise this
release is identical to 1.8.5.
Reply to: