[Bug 1808989] Re: tightvnc vulnerabilities

2018-12-20 Thread Pavel Cheremushkin 
In particular, following 4 issues are related to to tightvnc viewer:


```
1. global buffer overflow in corre.c
In `vnc_unixsrc/vncviewer/corre.c` inside the `HandleCoRREBPP` function 
global buffer overflow occurs due to the lack of size check.
`buffer` is defined in rfbproto.c:96 as ```char buffer[640*480];```. Inside 
`HandleCoRREBPP` function data is being read to the buffer 
`ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))` where 
`hdr.nSubrects` is 32-bit unsigned integer controlled by remote user.

2. heap buffer overflow in rfbServerCutText handler
Heap buffer overflow in `rfbServerCutText` handler inside 
`HandleRFBServerMessage` happens due to the malloc argument unsigned integer 
overflow on line rfbproto.c:1220. Suppose msg.sct.length equals 0x, 
then `malloc(msg.sct.length+1);` = `malloc(0);` will allocate small heap chunk 
of size 0x10. But `msg.sct.length` = 0x bytes may be read in this chunk 
on line 1222 (`ReadFromRFBServer(serverCutText, msg.sct.length)`).

3. heap buffer overflow in InitialiseRFBConnection function
Heap buffer overflow `InitialiseRFBConnection` function happens due to the 
malloc argument unsigned integer overflow on line rfbproto.c:307. Because of 
the integer overflow `malloc` function will allocate small heap chunk of size 
0x10 and 0x bytes will be read into the chunk by ReadFromRFBServer 
function.

4. null-ptr dereference in `zlib.c`
Because malloc result is not checked after allocation on line zlib.c:56 
null pointer dereference is possible if malloc argument is too big and malloc 
fill fail to allocate memory Allocation of raw buffer : `raw_buffer = (char*) 
malloc( raw_buffer_size );`, next usage of raw_buffer is on line 68
```

P.S. As stated in the same thread of the mailing list by Solar Designer
tightvnc (as well as libvnc) suffers from user completely controlling
size of allocation, which may lead to resource exhaustion, and also
LibVNC fix by casting to (uint64_t) seems to be insufficient, because
malloc() has size_t argument and issue will remain on 32-bit platforms.
So proper allocation limiting is required to completely fix this issue.


** Tags added: security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1808989

Title:
  tightvnc vulnerabilities

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tightvnc/+bug/1808989/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

tightvnc vulnerabilities

2018-12-17 Thread Pavel Cheremushkin 
Hello,

I found this e-mail as a maintainer of xtightvncviewer package in Ubuntu 18.04 
release.

I wanted to warn you that recently I have reported 4 vulnerabilities in 
tightvnc 1.3.X,  that is used in Ubuntu and developers refused to patch these 
vulnerabilities. More information including overview of the vulnerabilities: 
https://www.openwall.com/lists/oss-security/2018/12/10/5


Best Regards,
Pavel Cheremushkin
Security Researcher| ICS CERT Vulnerability Research Group | Kaspersky Lab
39A bld.2 Leningradskoye Highway, Moscow 125212, Russia | 
www.kaspersky.com<http://www.kaspersky.com/>,www.securelist.com<http://www.securelist.com/>

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss