-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, 9 Dec 2012 15:54:22 -0700
Brett Wuth <w...@castrov.cuug.ab.ca> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> This bug has cropped up on one of the systems I administer. It
> appears to be the result of *all* client IPv6 addresses being
> incorrectly translated into the IPv4 address 0.0.0.0, and so lumped in
> together thus enabling a denial of service.
>
> The critical code appears to be in
> vnc4-4.1.1+X4.3.0/common/network/TcpSocket.cxx
>
> char* TcpSocket::getPeerAddress() {
> struct sockaddr_in info;
> struct in_addr addr;
> VNC_SOCKLEN_T info_size = sizeof(info);
>
> getpeername(getFd(), (struct sockaddr *)&info, &info_size);
> memcpy(&addr, &info.sin_addr, sizeof(addr));
>
> char* name = inet_ntoa(addr);
> if (name) {
> return rfb::strDup(name);
> } else {
> return rfb::strDup("");
> }
> }
>
> where inet_ntoa assumes an IPv4 address, so returns 0.0.0.0.
>
> This erroneous address is then matched with other IPv6 attempts in:
>
> vnc4-4.1.1+X4.3.0/common/rfb/VNCServerST.cxx
>
> void VNCServerST::addSocket(network::Socket* sock, bool outgoing)
> {
> // - Check the connection isn't black-marked
> // *** do this in getSecurity instead?
> CharArray address(sock->getPeerAddress());
> if (blHosts->isBlackmarked(address.buf)) {
> connectionsLog.error("blacklisted: %s", address.buf);
> try {
> SConnection::writeConnFailedFromScratch("Too many security failures",
> &sock->outStream());
>
> Cheers,
> - --
> Brett Wuth w...@castrov.cuug.ab.ca w...@acm.org
> Box 1251-U, Pincher Creek, Alberta T0K 1W0, CANADA Tel:+1 403 627-2460
> OpenPGP FingerPrint=628F C9DA BDBC 2A0E 18F1 2F6A 3300 8422 BE6A 0E79
> What is the meaning of life?! Yes.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
>
> iEYEARECAAYFAlDFFpwACgkQ8qwj3joz1ZA/cwCfQftPtxUsS0aDUxdq3zQkOnmA
> GB0AnRXX1hG5L84LEfFSBEbal6bio3CM
> =YY/k
> -----END PGP SIGNATURE-----
First, please title the bug reports properly, a bug report titled "IPv6" does
not tell much.
Second, if you are so knowledgeable in the nature of the problem, surely you
must have a verified patch to propose, that fixes it?
Finally, to clarify: there is no denial of service against VNC in general,
it's just that the rate limiting of incorrect connection attempts currently
applies to all IPv6 addresses that are trying to connect, rather than to
actual specific ones. And rate-limiting individual IPv6 addresses is kind of
pointless anyway -- until a proper subnet-matching support is implemented --
since an attacker could easily instantiate many millions of different unique
addresses even within their /64.
Of course one could argue that to do such rate-limiting in each app is a wrong
idea altogether, and this is actually the job of ip6tables.
- --
With respect,
Roman
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Stallman had a printer,
with code he could not see.
So he began to tinker,
and set the software free."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlDFm8EACgkQTLKSvz+PZwgeGwCdELdiqUaf5Yjk8TfdMrrUwOZi
uUwAn1jHxkEjQbaowA2lLZN6bjkg+qTB
=9RZe
-----END PGP SIGNATURE-----
