iDefense Security Advisory 05.07.08 - Remote exploitation of an integer underflow vulnerability in rdesktop, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the logged-in user. The vulnerability exists within the code responsible for reading in an RDP request. When reading a request, a 16-bit integer value that represents the number of bytes that follow is taken from the packet. This value is then decremented by 4, and used to calculate how many bytes to read into a heap buffer. The subtraction operation can underflow, which will then lead to the heap buffer being overflowed. iDefense confirmed the existence of this vulnerability in rdesktop version 1.5.0. Previous versions may also be affected.
1092f657e4d4b947c1ee615da74f97b5643e05d42dbeb1e99d0b4d8092a260b7
rdesktop version 1.5.0 integer underflow proof of concept exploit that takes advantage of iso_recv_msg().
76fb7c0182f22162b10ef53dc34f0663fab8c3ad651d898e08ac4c9bfc0f266a