On Wed, May 04, 2011 at 10:51:06PM -0400, Brian Hinz wrote:
> I think that I just stumbled onto a possible security vulnerability in
> CSecurityTLS. It seems as though CSecurityTLS::processMsg returns true
> before the handshake has completed (possibly due to the "if (is.readU8() ==
> 0)" test on line 174). In the case of secTypes like x509plain, the user is
> prompted for a username and password (meaning the client is processing phase
> 2 of the security stack) before the certificate has been verified. I
> noticed this while testing a known bad certificate - presumably this means
> that the username & password are sent in the clear since the TLS handshake
> never completes.
Thanks for spotting this. The server should send 0, if he can't start the
handshake - so it
is still possible to sent the error messages back to the client.
The problem is, that a malicus server could send 0 and then authentification
succeded. It is caused by the fact, the I reused the common code for returing
the
error message.
A solution can be, that the error fetching code from
CConnection::processSecurityResultMsg
is inlined in CSecurityTLS::processMsg, like the following (untested):
diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx
index 6028792..17ed93c 100644
--- a/common/rfb/CSecurityTLS.cxx
+++ b/common/rfb/CSecurityTLS.cxx
@@ -171,8 +171,15 @@ bool CSecurityTLS::processMsg(CConnection* cc)
if (!is->checkNoWait(1))
return false;
- if (is->readU8() == 0)
- return true;
+ if (is->readU8() == 0) {
+ int result = is->readU32();
+ CharArray reason;
+ if (result == secResultFailed || result == secResultTooMany)
+ reason.buf = is->readString();
+ else
+ reason.buf = strDup("Authentication failure (protocol error)");
+ throw AuthFailureException(reason.buf);
+ }
if (gnutls_init(&session, GNUTLS_CLIENT) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_init failed");
Regards,
Martin K?gler
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Tigervnc-devel mailing list
Tigervnc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tigervnc-devel