Lucene search
K

UltraVNC和TightVNC客户端整数溢出漏洞

🗓️ 04 Feb 2009 00:00:00Reported by RootType 
seebug
 seebug
🔗 www.seebug.org👁 37 Views

UltraVNC and TightVNC client integer overflow vulnerabilitie

Related
Code
ReporterTitlePublishedViews
Family
0day.today
TightVNC Authentication Failure Integer Overflow PoC
9 Feb 200900:00
zdt
Circl
CVE-2009-0388
4 Feb 200900:00
circl
Core Security
VNC Multiple Integer Overflows
3 Feb 200900:00
coresecurity
Check Point Advisories
Update Protection against UltraVNC VNCViewer Authenticate Buffer Overflow
27 Feb 200900:00
checkpoint_advisories
Check Point Advisories
UltraVNC VNCViewer Authenticate Buffer Overflow (CVE-2009-0388)
11 Oct 200900:00
checkpoint_advisories
CVE
CVE-2009-0388
4 Feb 200919:00
cve
Cvelist
CVE-2009-0388
4 Feb 200919:00
cvelist
Debian CVE
CVE-2009-0388
4 Feb 200919:00
debiancve
Exploit DB
TightVNC - Authentication Failure Integer Overflow (PoC)
9 Feb 200900:00
exploitdb
exploitpack
TightVNC - Authentication Failure Integer Overflow (PoC)
9 Feb 200900:00
exploitpack
Rows per page

                                                修改VNC服务器发送如下特制报文:

/-----------

358: BOOL vncClientThread::SendTextStringMessage(const char *str)
359: {
360:     CARD32 len = Swap32IfLE(strlen(str));
361:     if (!m_socket->SendExact((char *)&len, sizeof(len)))
362:         return FALSE;
363:     if (!m_socket->SendExact(str, strlen(str)))
364:         return FALSE;
365:
366:     return TRUE;
367: }
...

- -----------/

修改360行,0xFFFFFFFF长度可在以下函数中触发异常:

   . 对于UltraVNC,在ClientConnection::Authenticate()中
   . 对于TightVNC,在ClientConnection::ReadFailureReason()中

如果要在ClientConnection.cpp文件的ClientConnection::CheckBufferSize函数中触发漏洞:

/-----------

(vncClient.cpp)

1848: void vncClient::UpdateClipText(LPSTR text)
1849: {
..
..
1858:    rfbServerCutTextMsg message;
1860:    message.length = Swap32IfLE(strlen(text));
1861:    if (!SendRFBMsg(rfbServerCutText, (BYTE *) &message, sizeof(message)))
1862:    {
1863:        Kill();
1864:        return;
1865:    }
1866:    if (!m_socket->SendQueued(text, strlen(text)))
1867:    {
1868:        Kill();
1869:        return;
1870:    }
1871: }
..

- -----------/

在1860行必须将message.length结构修改为0xFFFFFFFF值。


                              

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2009 00:00Current
6.2Medium risk
Vulners AI Score6.2
EPSS0.13334
37