CVE-2021-34535 Remote Code Execution Vulnerability

Industry: N/A | Level: Strategic | Source: Synack

When investigating TSMF media decoder, Malcolm Stagg, a Synack Red Team (SRT) member, found a remote code execution vulnerability in Windows remote desktop client, CVE-2021-34535. Memory access vulnerabilities can occur from issues with raw pointers used directly with memory buffers. The specific issue is an integer overflow in which Staggs says, "specifying a buffer size just slightly below that upper limit, an integer overflow will occur, causing a very small buffer to be allocated, and a huge amount of attacker-controlled data copied into that buffer. The result is a heap buffer overflow, where structures throughout the program’s memory space are overwritten with attacker-controlled data." The vulnerability was patched by Microsoft in August 2021 and does not bypass address space layout randomization (ASLR) however, the PoC exploit still assumes the attacker is able to bypass ASLR.