Exploitintel

**Name of the Vulnerable Software and Affected Versions** xrdp versions prior to 0.10.6 **Description** An out-of-bounds read exists in the pre-authentication RDP message parsing logic. A remote, unauthenticated attacker can trigger this flaw by sending a specially crafted sequence of packets during the initial connection phase. The issue stems from insufficient validation of input buffer lengths before processing dynamic channel communication. This can result in a denial-of-service condition via a process crash or the potential disclosure of sensitive information from the service memory space. **Recommendations** Update to version 0.10.6.

**Name of the Vulnerable Software and Affected Versions** xrdp versions prior to 0.10.6 **Description** A heap-based buffer overflow exists in the logon processing of this open source RDP server. When the `domain user separator` is configured in the 'xrdp.ini' file, an unauthenticated remote attacker can send a crafted, excessively long username and domain name to overflow the internal buffer. This memory corruption can lead to a Denial of Service (DoS) or unexpected behavior. This issue only affects systems where the `domain name separator` directive has been intentionally enabled, as it is commented out by default. **Recommendations** Update to version 0.10.6. As a temporary workaround, ensure the `domain name separator` directive in 'xrdp.ini' remains commented out or disabled.

**Name of the Vulnerable Software and Affected Versions** xrdp versions prior to 0.10.6 **Description** An out-of-bounds read occurs during the RDP capability exchange phase when memory is accessed before validating the remaining buffer length. A remote, unauthenticated attacker can trigger this by sending a specially crafted Confirm Active PDU. This may result in a denial of service via process crash or the disclosure of sensitive information from the process memory. **Recommendations** Update to version 0.10.6.

**Name of the Vulnerable Software and Affected Versions** xrdp versions prior to 0.10.6 **Description** xrdp fails to implement verification for the Message Authentication Code (MAC) signature of encrypted RDP packets when the Classic RDP Security layer is used. Although signatures are generated by the sender, the receiving logic ignores the 8-byte integrity signature. This allows an unauthenticated attacker with man-in-the-middle (MITM) capabilities to modify encrypted traffic in transit without detection. This issue does not affect connections where the TLS security layer is enforced. **Recommendations** Update to version 0.10.6. Configure xrdp.ini to enforce TLS security by setting `security layer=tls` to ensure end-to-end integrity.

**Name of the Vulnerable Software and Affected Versions** xrdp versions prior to 0.10.6 **Description** The session execution component of this open source RDP server fails to properly handle errors during the privilege drop process. This improper privilege management allows an authenticated local attacker to escalate privileges to root and execute arbitrary code on the system, although an additional exploit is required to facilitate this. **Recommendations** Update to version 0.10.6.

**Name of the Vulnerable Software and Affected Versions** xrdp versions prior to 0.10.6 **Description** A heap-based buffer overflow exists in the NeutrinoRDP module. When proxying RDP sessions to another server, the module does not properly validate the size of reassembled fragmented virtual channel data against its allocated memory buffer. A malicious downstream RDP server or an attacker performing a Man-in-the-Middle attack could exploit this to cause memory corruption, potentially resulting in a Denial of Service (DoS) or Remote Code Execution (RCE). This issue only affects environments where the NeutrinoRDP module has been explicitly compiled and enabled. **Recommendations** Update to version 0.10.6. As a temporary workaround, disable the NeutrinoRDP module if it was explicitly enabled.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions 3.6.5 through 3.6.6 **Description** WeGIA is a web manager for charitable institutions. The `loadBackupDB()` function imports SQL files from uploaded backup archives without content validation. An attacker can create a backup archive containing arbitrary SQL statements to create rogue administrator accounts, modify existing passwords, or execute any database operation. This issue was introduced in commit 370104c. **Recommendations** Update to version 3.6.7 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.6.6 **Description** WeGIA is a web manager for charitable institutions. The `loadBackupDB()` function in version 3.6.5 extracts tar.gz archives to a temporary directory using PHP’s `PharData` class, then uses `glob()` and `file get contents()` to read SQL files from the extracted contents. The extraction and file reading processes do not validate whether archive members are symbolic links. This could allow for unauthorized file access or modification. **Recommendations** Upgrade to WeGIA version 3.6.6 or later.