UltraVNC和TightVNC都是开放源码的远程终端模拟软件。 UltraVNC和TightVNC客户端存在多个整数溢出漏洞,有漏洞的函数为: . 'ClientConnection::CheckBufferSize' . 'ClientConnection::CheckFileZipBufferSize' UltraVNC的1.0.2及之前版本使用有漏洞的函数: . 'ClientConnection::ReadServerCutText() : 3859' . 'ClientConnection::Authenticate() : 1701' TightVNC的1.3.9及之前版本使用有漏洞的函数: . 'ClientConnection::ReadServerCutText() : 2951' . 'ClientConnection::ReadFailureReason() : 3066' 由于代码共享,其他VNC客户端也可能受影响。整数溢出情况如下: /----------- unsigned int len; /* note the *unsigned int* */ // read len from the net len = network.read_placeholder(); // check the size to ensure the network related read buffer is of the bigger as need CheckBufferSize( len ); // or CheckZipBufferSize(len); // use network related red buffer // ... - -----------/ 这里CheckBufferSize如下: /----------- (ClientConnection.cpp) 4185: // Makes sure netbuf is at least as big as the specified size. 4186: // Note that netbuf itself may change as a result of this call. 4187: // Throws an exception on failure. 4188:...
UltraVNC和TightVNC都是开放源码的远程终端模拟软件。 UltraVNC和TightVNC客户端存在多个整数溢出漏洞,有漏洞的函数为: . 'ClientConnection::CheckBufferSize' . 'ClientConnection::CheckFileZipBufferSize' UltraVNC的1.0.2及之前版本使用有漏洞的函数: . 'ClientConnection::ReadServerCutText() : 3859' . 'ClientConnection::Authenticate() : 1701' TightVNC的1.3.9及之前版本使用有漏洞的函数: . 'ClientConnection::ReadServerCutText() : 2951' . 'ClientConnection::ReadFailureReason() : 3066' 由于代码共享,其他VNC客户端也可能受影响。整数溢出情况如下: /----------- unsigned int len; /* note the *unsigned int* */ // read len from the net len = network.read_placeholder(); // check the size to ensure the network related read buffer is of the bigger as need CheckBufferSize( len ); // or CheckZipBufferSize(len); // use network related red buffer // ... - -----------/ 这里CheckBufferSize如下: /----------- (ClientConnection.cpp) 4185: // Makes sure netbuf is at least as big as the specified size. 4186: // Note that netbuf itself may change as a result of this call. 4187: // Throws an exception on failure. 4188: void ClientConnection::CheckBufferSize(int bufsize) 4189: { 4190: if (m_netbufsize > bufsize) return; ... ... - -----------/ CheckZipBufferSize如下: /----------- (ClientConnection.cpp) 4238: void ClientConnection::CheckFileZipBufferSize(int bufsize) 4239: { 4240: unsigned char *newbuf; 4241: 4242: if (m_filezipbufsize > bufsize) return; ... ... - -----------/ CheckFileZipBufferSize()和CheckFileChunkBufferSize()等函数也存在类似的问题。bufsize(有符整型)数据类型参数和m_netbufsize、m_filezipbufsize(无符长型)缓冲区触发了整数溢出。