-
-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Crashes UltraVNC server that has MSLogonII enabled #202
Comments
MSLogon w/ MultiVNC 2.0.9server terminates afterwards 💣 ... but also, in another run: MSLogon w/ SDLvncviewer built from MultiVNC's libvncserver submoduleworks OK ✔️ |
LibVNC/libvncserver#493 is related... |
I also found this bug of UltraVNC when implementing MSLogonII for noVNC and TigerVNC. It seems if the username/password is long enough or is not null terminalted, the UltraVNC server will crash. If this happens, the encryption algorithm is likely to be incorrect so the server gets the wrong decrypteed plaintext (which may be long or not null terminated). |
@pdlan were you able to pinpoint the exact cause so we can find some kinda fix/workaround? Is it:
|
I just tested it. When the username length is > 179 the server crashes. The password length doesn't matter. |
I had the problem with "usual" usernames as well. What about the 0-termination? |
The case without null termination should be similar to long usernames because the length can be as long as 256 (if there isn't a zero by accident). If your username is very short (e.g. crashes even if the length is 8), I guess it's mostly likely to be because you don't handle DES-CBC correctly, i.e., all blocks but the first one are corrupted. |
Yeah true. |
So, I ran UltraVNC under Visual Studio debugger and found that it is throwing an exception during DH key exchange. The exception is not handled, leading to this crash. Exception source: https://github.com/ultravnc/UltraVNC/blob/1586ec05577d7b82eb19cac5746cf02d6823df5b/rfb/dh.cpp#L136 After looking around a bit, it seems that UltraVNC limits DH key to 31bits, and when LibVNCClient sends 64bit public key, it throws an exception. BTW, AVNC with wolfSSL has same issue, so it doesn't seem to related to OpenSSL specifically. I can't explain why it works in some cases for you guys. For me, It always crashes, even for 4-5 character username. UltraVNC version: 1.4.0.6 from GitHub |
Oh, it seems that you guys might find a different bug from what I found. The long username bug occurs even with UltraVNC client + server. |
BTW I don't think the length limit is a issue because the UltraVNC server always sends a prime < maxNum, so no matter how big the client's private key is, the public key sent by it should always be < prime < maxNum as long as the implementation is correct. |
The issue seems to be incorrect handling of buffers used for holding DH keys crypto_openssl.c.
Now, LibVNCClient already uses If I manually pad the buffer with this quick patch, I can connect successfully. |
Great work @gujjwal00! (as always) Can you whip up a PR for libvncclient? |
Sure 👍 |
If you'd like to put out an incentive for fixing this bug, you can do so at https://issuehunt.io/r/bk138/multivnc?tab=idle
Is your bug report about the Desktop Multivnc or the Mobile MultiVNC?
Which MultiVNC version are you using?
2.0.9
Which server are you connecting to?
Describe the bug
Crashes UltraVNC server that has MSLogonII enabled
To Reproduce
Expected Behavior
server does not crash ;-)
Screenshots
For the Desktop Version (please complete the following information):
For the Mobile Version (please complete the following information):
Additional context
The text was updated successfully, but these errors were encountered: