BUGTRAQ ID: 33568
CVE(CAN) ID: CVE-2009-0388
UltraVNC和TightVNC都是开源的远程终端模拟软件。
UltraVNC和TightVNC客户端存在多个整数溢出漏洞,有漏洞的函数为:
. ‘ClientConnection::CheckBufferSize’
. ‘ClientConnection::CheckFileZipBufferSize’
UltraVNC的1.0.2及之前版本使用有漏洞的函数:
. ‘ClientConnection::ReadServerCutText() : 3859’
. ‘ClientConnection::Authenticate() : 1701’
TightVNC的1.3.9及之前版本使用有漏洞的函数:
. ‘ClientConnection::ReadServerCutText() : 2951’
. ‘ClientConnection::ReadFailureReason() : 3066’
由于代码共享,其他VNC客户端也可能受影响。整数溢出情况如下:
/-----------
unsigned int len; /* note the unsigned int */
// read len from the net
len = network.read_placeholder();
// check the size to ensure the network related read buffer is of the
bigger as need
CheckBufferSize( len ); // or CheckZipBufferSize(len);
// use network related red buffer
// …
这里CheckBufferSize如下:
/-----------
(ClientConnection.cpp)
4185: // Makes sure netbuf is at least as big as the specified size.
4186: // Note that netbuf itself may change as a result of this call.
4187: // Throws an exception on failure.
4188: void ClientConnection::CheckBufferSize(int bufsize)
4189: {
4190: if (m_netbufsize > bufsize) return;
…
…
CheckZipBufferSize如下:
/-----------
(ClientConnection.cpp)
4238: void ClientConnection::CheckFileZipBufferSize(int bufsize)
4239: {
4240: unsigned char *newbuf;
4241:
4242: if (m_filezipbufsize > bufsize) return;
…
…
CheckFileZipBufferSize()和CheckFileChunkBufferSize()等函数也存在类似的问题。bufsize(有符整型)数据类型参数和m_netbufsize、m_filezipbufsize(无符长型)缓冲区触发了整数溢出。
TightVNC TightVNC 1.3.9
UltraVNC UltraVNC 1.0.5
UltraVNC UltraVNC 1.0.2
厂商补丁:
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
<a href=“http://support1.uvnc.com/download/vncviewer_1054_w32.zip” target=“_blank”>http://support1.uvnc.com/download/vncviewer_1054_w32.zip</a>
<a href=“http://support1.uvnc.com/download/vncviewer_1054_X64.zip” target=“_blank”>http://support1.uvnc.com/download/vncviewer_1054_X64.zip</a>
修改VNC服务器发送如下特制报文:
/-----------
358: BOOL vncClientThread::SendTextStringMessage(const char *str)
359: {
360: CARD32 len = Swap32IfLE(strlen(str));
361: if (!m_socket->SendExact((char *)&len, sizeof(len)))
362: return FALSE;
363: if (!m_socket->SendExact(str, strlen(str)))
364: return FALSE;
365:
366: return TRUE;
367: }
...
- -----------/
修改360行,0xFFFFFFFF长度可在以下函数中触发异常:
. 对于UltraVNC,在ClientConnection::Authenticate()中
. 对于TightVNC,在ClientConnection::ReadFailureReason()中
如果要在ClientConnection.cpp文件的ClientConnection::CheckBufferSize函数中触发漏洞:
/-----------
(vncClient.cpp)
1848: void vncClient::UpdateClipText(LPSTR text)
1849: {
..
..
1858: rfbServerCutTextMsg message;
1860: message.length = Swap32IfLE(strlen(text));
1861: if (!SendRFBMsg(rfbServerCutText, (BYTE *) &message, sizeof(message)))
1862: {
1863: Kill();
1864: return;
1865: }
1866: if (!m_socket->SendQueued(text, strlen(text)))
1867: {
1868: Kill();
1869: return;
1870: }
1871: }
..
- -----------/
在1860行必须将message.length结构修改为0xFFFFFFFF值。