Description: CVE-2024-39917
Author: Abhijith PA <abhijith@debian.org>
Origin: (upstream|backport|vendor|other), (<patch-url>|commit:<commit-id>)
Last-Update: 2025-02-27

--- xrdp-0.9.21.1.orig/docs/man/xrdp.ini.5.in
+++ xrdp-0.9.21.1/docs/man/xrdp.ini.5.in
@@ -119,10 +119,12 @@ Specifying interfaces requires said inte
 
 .TP
 \fBrequire_credentials\fP=\fI[true|false]\fP
-If set to \fB1\fP, \fBtrue\fP or \fByes\fP, \fBxrdp\fP will scan the user name provided by the
-client for the ASCII field separator character (0x1F). It will then copy over what is after the
-separator as the password supplied by the user and treats it as autologon. If not specified,
-defaults to \fBfalse\fP.
+If set to \fB1\fP, \fBtrue\fP or \fByes\fP, \fBxrdp\fP requires clients
+to include username and password initial connection phase. In other
+words, xrdp doesn't allow clients to show login screen if set to true.
+It follows that an incorrect password will cause the login to immediately
+fail without displaying the login screen.  If not specified, defaults
+to \fBfalse\fP.
 
 .TP
 \domain_user_separator\fP=\separator\fP
--- xrdp-0.9.21.1.orig/libxrdp/xrdp_sec.c
+++ xrdp-0.9.21.1/libxrdp/xrdp_sec.c
@@ -1001,6 +1001,25 @@ xrdp_sec_process_logon_info(struct xrdp_
         return 1;
     }
 
+    // If we require credentials, don't continue if they're not provided
+    if (self->rdp_layer->client_info.require_credentials)
+    {
+        if ((flags & RDP_LOGON_AUTO) == 0)
+        {
+            LOG(LOG_LEVEL_ERROR, "Server is configured to require that the "
+                "client enable auto logon with credentials, but the client did "
+                "not request auto logon.");
+            return 1;
+        }
+        if (len_user == 0 || len_password == 0)
+        {
+            LOG(LOG_LEVEL_ERROR, "Server is configured to require that the "
+                "client enable auto logon with credentials, but the client did "
+                "not supply both a username and password.");
+            return 1;
+        }
+    }
+
     if (flags & RDP_LOGON_AUTO)
     {
         if (unicode_utf16_in(s, len_password, self->rdp_layer->client_info.password, sizeof(self->rdp_layer->client_info.password) - 1) != 0)
@@ -1022,18 +1041,13 @@ xrdp_sec_process_logon_info(struct xrdp_
     }
     else
     {
+        // Skip the password
         if (!s_check_rem_and_log(s, len_password + 2, "Parsing [MS-RDPBCGR] TS_INFO_PACKET Password"))
         {
             return 1;
         }
         in_uint8s(s, len_password + 2);
-        if (self->rdp_layer->client_info.require_credentials)
-        {
-            LOG(LOG_LEVEL_ERROR, "Server is configured to require that the "
-                "client enable auto logon with credentials, but the client did "
-                "not request auto logon.");
-            return 1; /* credentials on cmd line is mandatory */
-        }
+
     }
     if (self->rdp_layer->client_info.domain_user_separator[0] != '\0'
             && self->rdp_layer->client_info.domain[0] != '\0')
--- xrdp-0.9.21.1.orig/xrdp/xrdp.ini
+++ xrdp-0.9.21.1/xrdp/xrdp.ini
@@ -87,7 +87,8 @@ max_bpp=32
 new_cursors=true
 ; fastpath - can be 'input', 'output', 'both', 'none'
 use_fastpath=both
-; when true, userid/password *must* be passed on cmd line
+;when true, userid/password *must* be passed on cmd line. If the password
+; is incorrect, the login will fail
 #require_credentials=true
 ; when true, the userid will be used to try to authenticate
 #enable_token_login=true