安全研究
安全漏洞
UltraVNC和TightVNC客户端整数溢出漏洞
发布日期:2009-02-03
更新日期:2009-02-04
受影响系统:
TightVNC TightVNC 1.3.9不受影响系统:
UltraVNC UltraVNC 1.0.5
UltraVNC UltraVNC 1.0.2
TightVNC TightVNC 1.3.10描述:
UltraVNC UltraVNC 1.0.5.4
BUGTRAQ ID: 33568
CVE(CAN) ID: CVE-2009-0388
UltraVNC和TightVNC都是开源的远程终端模拟软件。
UltraVNC和TightVNC客户端存在多个整数溢出漏洞,有漏洞的函数为:
. 'ClientConnection::CheckBufferSize'
. 'ClientConnection::CheckFileZipBufferSize'
UltraVNC的1.0.2及之前版本使用有漏洞的函数:
. 'ClientConnection::ReadServerCutText() : 3859'
. 'ClientConnection::Authenticate() : 1701'
TightVNC的1.3.9及之前版本使用有漏洞的函数:
. 'ClientConnection::ReadServerCutText() : 2951'
. 'ClientConnection::ReadFailureReason() : 3066'
由于代码共享,其他VNC客户端也可能受影响。整数溢出情况如下:
/-----------
unsigned int len; /* note the *unsigned int* */
// read len from the net
len = network.read_placeholder();
// check the size to ensure the network related read buffer is of the
bigger as need
CheckBufferSize( len ); // or CheckZipBufferSize(len);
// use network related red buffer
// ...
- -----------/
这里CheckBufferSize如下:
/-----------
(ClientConnection.cpp)
4185: // Makes sure netbuf is at least as big as the specified size.
4186: // Note that netbuf itself may change as a result of this call.
4187: // Throws an exception on failure.
4188: void ClientConnection::CheckBufferSize(int bufsize)
4189: {
4190: if (m_netbufsize > bufsize) return;
...
...
- -----------/
CheckZipBufferSize如下:
/-----------
(ClientConnection.cpp)
4238: void ClientConnection::CheckFileZipBufferSize(int bufsize)
4239: {
4240: unsigned char *newbuf;
4241:
4242: if (m_filezipbufsize > bufsize) return;
...
...
- -----------/
CheckFileZipBufferSize()和CheckFileChunkBufferSize()等函数也存在类似的问题。bufsize(有符整型)数据类型参数和m_netbufsize、m_filezipbufsize(无符长型)缓冲区触发了整数溢出。
<*来源:Ariel Futoransky
Fernando Russ
Alfredo Ortega
链接:http://marc.info/?l=bugtraq&m=123369651718036&w=2
http://secunia.com/advisories/33807/
http://secunia.com/advisories/33794/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/-----------
358: BOOL vncClientThread::SendTextStringMessage(const char *str)
359: {
360: CARD32 len = Swap32IfLE(strlen(str));
361: if (!m_socket->SendExact((char *)&len, sizeof(len)))
362: return FALSE;
363: if (!m_socket->SendExact(str, strlen(str)))
364: return FALSE;
365:
366: return TRUE;
367: }
...
- -----------/
修改360行,0xFFFFFFFF长度可在以下函数中触发异常:
. 对于UltraVNC,在ClientConnection::Authenticate()中
. 对于TightVNC,在ClientConnection::ReadFailureReason()中
如果要在ClientConnection.cpp文件的ClientConnection::CheckBufferSize函数中触发漏洞:
/-----------
(vncClient.cpp)
1848: void vncClient::UpdateClipText(LPSTR text)
1849: {
..
..
1858: rfbServerCutTextMsg message;
1860: message.length = Swap32IfLE(strlen(text));
1861: if (!SendRFBMsg(rfbServerCutText, (BYTE *) &message, sizeof(message)))
1862: {
1863: Kill();
1864: return;
1865: }
1866: if (!m_socket->SendQueued(text, strlen(text)))
1867: {
1868: Kill();
1869: return;
1870: }
1871: }
..
- -----------/
在1860行必须将message.length结构修改为0xFFFFFFFF值。
http://www.milw0rm.com/exploits/8024
建议:
厂商补丁:
UltraVNC
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://support1.uvnc.com/download/vncviewer_1054_w32.zip
http://support1.uvnc.com/download/vncviewer_1054_X64.zip
浏览次数:4236
严重程度:0(网友投票)
绿盟科技给您安全的保障