Re: Neat VNC Security Vulnerability

[Andri Yngvason <andri () yngvason is>]

fös., 2. ágú. 2024 kl. 14:53 skrifaði Solar Designer <solar () openwall com>:
> On Fri, Aug 02, 2024 at 02:41:18PM +0000, Dane Bouchie wrote:
> > The client chooses the security type, so they can pass in "None" to the switch statement. 
> > is_allowed_security_type() now prevents that.
>
> Oh, so was the issue a trivial authentication bypass?  Evidently, logic
> errors like this are easy to miss in plain sight.

Yes, and yes.

>         switch (type) {
>         case RFB_SECURITY_TYPE_NONE:
>                 security_handshake_ok(client, NULL);
>                 client->state = VNC_CLIENT_STATE_WAITING_FOR_INIT;
>                 break;
>
> Should the above RFB_SECURITY_TYPE_NONE support continue to exist in the
> code at all, if RFB_SECURITY_TYPE_NONE is never added to the allowed
> security types array that the code now pre-checks against?  Maybe it
> should be #if 0'ed out, leaving it only as an example for debugging?

It is added to the list if no authentication is required.

Regards,
Andri