BUGTRAQ ID: 33568 CVE(CAN) ID: CVE-2009-0388 UltraVNC和TightVNC都是开源的远程终端模拟软件。 UltraVNC和TightVNC客户端存在多个整数溢出漏洞,有漏洞的函数为: . 'ClientConnection::CheckBufferSize' . 'ClientConnection::CheckFileZipBufferSize' UltraVNC的1.0.2及之前版本使用有漏洞的函数: . 'ClientConnection::ReadServerCutText() : 3859' . 'ClientConnection::Authenticate() : 1701' TightVNC的1.3.9及之前版本使用有漏洞的函数: . 'ClientConnection::ReadServerCutText() : 2951' . 'ClientConnection::ReadFailureReason() : 3066' 由于代码共享,其他VNC客户端也可能受影响。整数溢出情况如下: /----------- unsigned int len; /* note the *unsigned int* */ // read len from the net len = network.read_placeholder(); // check the size to ensure the network related read buffer is of the bigger as need CheckBufferSize( len ); // or CheckZipBufferSize(len); // use network related red buffer // ... - -----------/ 这里CheckBufferSize如下: /----------- (ClientConnection.cpp) 4185: // Makes sure netbuf is at least as big as the specified size. 4186: // Note that netbuf itself may change as a result of this call....
BUGTRAQ ID: 33568 CVE(CAN) ID: CVE-2009-0388 UltraVNC和TightVNC都是开源的远程终端模拟软件。 UltraVNC和TightVNC客户端存在多个整数溢出漏洞,有漏洞的函数为: . 'ClientConnection::CheckBufferSize' . 'ClientConnection::CheckFileZipBufferSize' UltraVNC的1.0.2及之前版本使用有漏洞的函数: . 'ClientConnection::ReadServerCutText() : 3859' . 'ClientConnection::Authenticate() : 1701' TightVNC的1.3.9及之前版本使用有漏洞的函数: . 'ClientConnection::ReadServerCutText() : 2951' . 'ClientConnection::ReadFailureReason() : 3066' 由于代码共享,其他VNC客户端也可能受影响。整数溢出情况如下: /----------- unsigned int len; /* note the *unsigned int* */ // read len from the net len = network.read_placeholder(); // check the size to ensure the network related read buffer is of the bigger as need CheckBufferSize( len ); // or CheckZipBufferSize(len); // use network related red buffer // ... - -----------/ 这里CheckBufferSize如下: /----------- (ClientConnection.cpp) 4185: // Makes sure netbuf is at least as big as the specified size. 4186: // Note that netbuf itself may change as a result of this call. 4187: // Throws an exception on failure. 4188: void ClientConnection::CheckBufferSize(int bufsize) 4189: { 4190: if (m_netbufsize > bufsize) return; ... ... - -----------/ CheckZipBufferSize如下: /----------- (ClientConnection.cpp) 4238: void ClientConnection::CheckFileZipBufferSize(int bufsize) 4239: { 4240: unsigned char *newbuf; 4241: 4242: if (m_filezipbufsize > bufsize) return; ... ... - -----------/ CheckFileZipBufferSize()和CheckFileChunkBufferSize()等函数也存在类似的问题。bufsize(有符整型)数据类型参数和m_netbufsize、m_filezipbufsize(无符长型)缓冲区触发了整数溢出。 TightVNC TightVNC 1.3.9 UltraVNC UltraVNC 1.0.5 UltraVNC UltraVNC 1.0.2 厂商补丁: UltraVNC -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://support1.uvnc.com/download/vncviewer_1054_w32.zip target=_blank rel=external nofollow>http://support1.uvnc.com/download/vncviewer_1054_w32.zip</a> <a href=http://support1.uvnc.com/download/vncviewer_1054_X64.zip target=_blank rel=external nofollow>http://support1.uvnc.com/download/vncviewer_1054_X64.zip</a>
