oss-sec mailing list archives
Re: Neat VNC Security Vulnerability
From: Solar Designer <solar () openwall com>
Date: Fri, 2 Aug 2024 16:53:38 +0200
On Fri, Aug 02, 2024 at 02:41:18PM +0000, Dane Bouchie wrote:
The client chooses the security type, so they can pass in "None" to the switch statement. is_allowed_security_type() now prevents that.
Oh, so was the issue a trivial authentication bypass? Evidently, logic
errors like this are easy to miss in plain sight.
switch (type) {
case RFB_SECURITY_TYPE_NONE:
security_handshake_ok(client, NULL);
client->state = VNC_CLIENT_STATE_WAITING_FOR_INIT;
break;
Should the above RFB_SECURITY_TYPE_NONE support continue to exist in the
code at all, if RFB_SECURITY_TYPE_NONE is never added to the allowed
security types array that the code now pre-checks against? Maybe it
should be #if 0'ed out, leaving it only as an example for debugging?
Thank you for the extremely prompt response.
Alexander
Current thread:
- Neat VNC Security Vulnerability Andri Yngvason (Aug 01)
- Re: Neat VNC Security Vulnerability Solar Designer (Aug 02)
- RE: Neat VNC Security Vulnerability Dane Bouchie (Aug 02)
- Re: Neat VNC Security Vulnerability Solar Designer (Aug 02)
- Re: Neat VNC Security Vulnerability Andri Yngvason (Aug 02)
- RE: Neat VNC Security Vulnerability Dane Bouchie (Aug 02)
- Re: Neat VNC Security Vulnerability Solar Designer (Aug 02)
- <Possible follow-ups>
- RE: Neat VNC Security Vulnerability Dane Bouchie (Aug 02)
- Re: Neat VNC Security Vulnerability Salvatore Bonaccorso (Aug 03)