File xrdp-CVE-2024-39917.patch of Package xrdp.37241
From 8ac2f6db34649a93d3c9c4fe8fda61203702e615 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Thu, 27 Jun 2024 11:39:21 +0100
Subject: [PATCH] Enforce no login screen if require_credentials is set
If the setting require_credentials is true, there should be no way
for the user to get to a login screen.
This commit makes the following changes if this flag is active:-
- Makes the checks around TS_INFO_PACKET more explicit.
- Closes the connection if the first login attempt fails.
---
docs/man/xrdp.ini.5.in | 9 ++++++---
libxrdp/xrdp_sec.c | 27 ++++++++++++++++++++-------
xrdp/xrdp.ini.in | 3 ++-
xrdp/xrdp_mm.c | 8 ++++++++
4 files changed, 36 insertions(+), 11 deletions(-)
Index: xrdp-0.9.13.1/docs/man/xrdp.ini.5.in
===================================================================
--- xrdp-0.9.13.1.orig/docs/man/xrdp.ini.5.in
+++ xrdp-0.9.13.1/docs/man/xrdp.ini.5.in
@@ -120,9 +120,12 @@ The default for RDP is \fB3389\fP.
.TP
\fBrequire_credentials\fP=\fI[true|false]\fP
-If set to \fB1\fP, \fBtrue\fP or \fByes\fP, \fBxrdp\fP requires clients to include username and
-password initial connection phase. In other words, xrdp doesn't allow clients to show login
-screen if set to true. If not specified, defaults to \fBfalse\fP.
+If set to \fB1\fP, \fBtrue\fP or \fByes\fP, \fBxrdp\fP requires clients
+to include username and password initial connection phase. In other
+words, xrdp doesn't allow clients to show login screen if set to true.
+It follows that an incorrect password will cause the login to immediately
+fail without displaying the login screen. If not specified, defaults
+to \fBfalse\fP.
.TP
\fBsecurity_layer\fP=\fI[tls|rdp|negotiate]\fP
Index: xrdp-0.9.13.1/libxrdp/xrdp_sec.c
===================================================================
--- xrdp-0.9.13.1.orig/libxrdp/xrdp_sec.c
+++ xrdp-0.9.13.1/libxrdp/xrdp_sec.c
@@ -810,6 +810,25 @@ xrdp_sec_process_logon_info(struct xrdp_
}
DEBUG(("username %s", self->rdp_layer->client_info.username));
+ // If we require credentials, don't continue if they're not provided
+ if (self->rdp_layer->client_info.require_credentials)
+ {
+ if ((flags & RDP_LOGON_AUTO) == 0)
+ {
+ log_message(LOG_LEVEL_ERROR, "Server is configured to require that the "
+ "client enable auto logon with credentials, but the client did "
+ "not request auto logon.");
+ return 1;
+ }
+ if (len_user == 0 || len_password == 0)
+ {
+ log_message(LOG_LEVEL_ERROR, "Server is configured to require that the "
+ "client enable auto logon with credentials, but the client did "
+ "not supply both a username and password.");
+ return 1;
+ }
+ }
+
if (flags & RDP_LOGON_AUTO)
{
if (unicode_utf16_in(s, len_password, self->rdp_layer->client_info.password, sizeof(self->rdp_layer->client_info.password) - 1) != 0)
@@ -820,16 +839,12 @@ xrdp_sec_process_logon_info(struct xrdp_
}
else
{
+ // Skip the password
if (!s_check_rem(s, len_password + 2))
{
return 1;
}
in_uint8s(s, len_password + 2);
- if (self->rdp_layer->client_info.require_credentials)
- {
- g_writeln("xrdp_sec_process_logon_info: credentials on cmd line is mandatory");
- return 1; /* credentials on cmd line is mandatory */
- }
}
if (unicode_utf16_in(s, len_program, self->rdp_layer->client_info.program, sizeof(self->rdp_layer->client_info.program) - 1) != 0)
Index: xrdp-0.9.13.1/xrdp/xrdp_mm.c
===================================================================
--- xrdp-0.9.13.1.orig/xrdp/xrdp_mm.c
+++ xrdp-0.9.13.1/xrdp/xrdp_mm.c
@@ -1615,6 +1615,14 @@ xrdp_mm_process_login_response(struct xr
}
else
{
+ if (self->wm->client_info->require_credentials)
+ {
+ // cleanup_sesman_connection(self);
+ /* Credentials had to be specified, but were invalid */
+ g_set_wait_obj(self->wm->pro_layer->self_term_event);
+ log_message(LOG_LEVEL_ERROR, "require_credentials is set, "
+ "but the user could not be logged in");
+ }
xrdp_wm_log_msg(self->wm, LOG_LEVEL_INFO,
"login failed for display %d", display);
xrdp_wm_show_log(self->wm);