Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RealVNC 4.1.2 minor heap corruption/DoS vulnerability (authentication required)

From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
Date: Mon, 21 Aug 2006 02:41:39 +0300 (EEST)
They probably will post patch information here:
http://www.realvnc.com/pipermail/vnc-announce/2006/date.html

- Juha-Matti
Niall FitzGibbon <fitzgibbon () blueyonder co uk> wrote:
This vulnerability affects the latest version of RealVNC (4.1.2) on all platforms. It is tested on Windows.
To exploit the vulnerability, the attacker must either control a connected and authenticated client connected to a vulnerable VNC server or control a VNC server with at least one vulnerable connected and authenticated client.
The attack exploits a signed/unsigned integer mismatch leading to an integer overflow and subsequent allocation of very large or zero size areas on the heap. The result of the attack is Denial of Service due to heap corruption and improper program flow. It doesn't seem possible to exploit the heap corruption in order to gain code execution the source of the copy operation is not defined by the attacker. The attack is thus of limited usefulness due to the necessity of prior authentication. 

The vulnerability lies in the following functions:
rfb/SMsgReader.cxx : readClientCutText()
rfb/CMsgReader.cxx : readServerCutText()
These functions handle clipboard changes propagated from the other party. The simplest way to trigger this vulnerability is to modify the CMsgWriter::clientCutText or SMsgWriter::writeServerCutText in order to send an integer length of -1 on clipboard updates. This results in an allocation of zero bytes to the heap on the other party and subsequent write of a zero terminator to an address immediately before the allocated zero-length buffer followed by a large memcpy to that buffer. When an exception is finally thrown, RealVNC handles this by terminating the connection and possibly the process, throwing an error message about the message type.
Reported to vendor (v4bugs () realvnc com) 01 August 2006. No response at time of writing. 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: