Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
This version is vulnerable to a dll exploit
This version is vulnerable to a dll exploit
Hello,
I registered on this forum to specifically disclose that release 1.0.6.x is vulnerable to a specific problem relating to the way Ultra VNC handles the loading of external libraries when opening filetypes related to the program. In this case, when opening .vnc files, version 1.0.6.x will attempt to open up any and all external dlls located in the source folder of the file. An attacker can supply a malicious dll at this point and quickly take control of the system. I was using Windows Vista as my Windows version, but this vulnerability will work on any version of Windows in existence.
Here is a post from the researcher that discovered and publicized this: http://blog.metasploit.com/2010/08/expl ... flaws.html
Here is the MS Security Advisory:
https://www.microsoft.com/technet/secur ... 69637.mspx
If you have any questions, feel free to reply to this post or email me. If you feel this post needs to be deleted, I don't care. You guys did not have a support contact email. Also your forums send users their passwords in cleartext in the activation email. Shame on you for that.
-g3k
I registered on this forum to specifically disclose that release 1.0.6.x is vulnerable to a specific problem relating to the way Ultra VNC handles the loading of external libraries when opening filetypes related to the program. In this case, when opening .vnc files, version 1.0.6.x will attempt to open up any and all external dlls located in the source folder of the file. An attacker can supply a malicious dll at this point and quickly take control of the system. I was using Windows Vista as my Windows version, but this vulnerability will work on any version of Windows in existence.
Here is a post from the researcher that discovered and publicized this: http://blog.metasploit.com/2010/08/expl ... flaws.html
Here is the MS Security Advisory:
https://www.microsoft.com/technet/secur ... 69637.mspx
If you have any questions, feel free to reply to this post or email me. If you feel this post needs to be deleted, I don't care. You guys did not have a support contact email. Also your forums send users their passwords in cleartext in the activation email. Shame on you for that.
-g3k
- Rudi De Vos
- Admin & Developer
- Posts: 6865
- Joined: 2004-04-23 10:21
- Contact:
Re: This version is vulnerable to a dll exploit
I'm glad you guys took this seriously and you were able to come up with a solution to this problem in such short time.
If you need to get in touch with me, PM me here and I will give you my contact email. I will be deleting this account in a few days.
If you need to get in touch with me, PM me here and I will give you my contact email. I will be deleting this account in a few days.
Re: This version is vulnerable to a dll exploit
Hi everyone,
I'm having a problem with this security update. After applying it (extracting to my UltraVNC folder) my VNC sessions are not encrypted anymore.
When using a fresh UlraVNC 1.0.8.2 installation with my rc4.key I can see the following connection info screen:
After applying the security update (extracting the new vncviewer.exe and vncviewer_64.exe) my VNC connections are not encrypted anymore. I get the following connection info screen:
I use MSRC4Plugin.dsm, server is running in listening mode. When a user connectes with the Single-Click program the connection is not encrypted anymore.
Without applying the security update VNC sessions are encrypted.
The Single-Click program remains unchanged during both sessions. The only thing that is different is the security update.
Anybody else who has this problem?
Do you know how to get encrypted sessions again?
Thank you very much for your help.
I'm having a problem with this security update. After applying it (extracting to my UltraVNC folder) my VNC sessions are not encrypted anymore.
When using a fresh UlraVNC 1.0.8.2 installation with my rc4.key I can see the following connection info screen:
After applying the security update (extracting the new vncviewer.exe and vncviewer_64.exe) my VNC connections are not encrypted anymore. I get the following connection info screen:
I use MSRC4Plugin.dsm, server is running in listening mode. When a user connectes with the Single-Click program the connection is not encrypted anymore.
Without applying the security update VNC sessions are encrypted.
The Single-Click program remains unchanged during both sessions. The only thing that is different is the security update.
Anybody else who has this problem?
Do you know how to get encrypted sessions again?
Thank you very much for your help.
- Rudi De Vos
- Admin & Developer
- Posts: 6865
- Joined: 2004-04-23 10:21
- Contact:
Re: This version is vulnerable to a dll exploit
The patch limit the search path for dll and key...
Are you using a .vnc to start the viewer.
WHere is the encryption dll/key installed.. path ?
Are you using a .vnc to start the viewer.
WHere is the encryption dll/key installed.. path ?
Re: This version is vulnerable to a dll exploit
I start the server usingRudi De Vos wrote:The patch limit the search path for dll and key...
Are you using a .vnc to start the viewer.
Code: Select all
"C:\Program Files\UltraVNC\vncviewer.exe" -dsmplugin msrc4plugin.dsm -listen 5500
If the encryption dll is the MSRC4Plugin.dsm then its in C:\Program Files\UltraVNC\ as well as C:\Program Files\UltraVNC\Plugins. The rc4.key is in C:\Program Files\UltraVNC\.Rudi De Vos wrote:WHere is the encryption dll/key installed.. path ?
- Rudi De Vos
- Admin & Developer
- Posts: 6865
- Joined: 2004-04-23 10:21
- Contact:
Re: This version is vulnerable to a dll exploit
I need to verify this...with procmon utility.
If you have time, you can also check it yourself...
download procmon
http://technet.microsoft.com/en-us/sysi ... 96645.aspx
The createfile in procmon show all the paths used to search for the key.
The encryption plugin is found, else it wouldn't be shown in the viewer gui...but there seems to be a problem with the key location.
Possible placing the key in windows/system32 will work..
If you have time, you can also check it yourself...
download procmon
http://technet.microsoft.com/en-us/sysi ... 96645.aspx
The createfile in procmon show all the paths used to search for the key.
The encryption plugin is found, else it wouldn't be shown in the viewer gui...but there seems to be a problem with the key location.
Possible placing the key in windows/system32 will work..
Re: This version is vulnerable to a dll exploit
Procmon shows createfile entries with many directories including the one where rc4.key is located ("C:\Program Files\UltraVNC").Rudi De Vos wrote:If you have time, you can also check it yourself...
[...]
The createfile in procmon show all the paths used to search for the key.
The encryption plugin is found, else it wouldn't be shown in the viewer gui...but there seems to be a problem with the key location.
I tried that one too but the session is still not encrypted.Possible placing the key in windows/system32 will work..
I will post the output of procmon a little later. Do you have any other suggestions in the meantime?
Thanks for your fast reply.
Last edited by grizzly on 2010-09-09 13:53, edited 1 time in total.
- Rudi De Vos
- Admin & Developer
- Posts: 6865
- Joined: 2004-04-23 10:21
- Contact:
Re: This version is vulnerable to a dll exploit
It looks to me that your server isn't using encryption.
1) If you set encryption on the viewer, he can connect with a encrypted
(same key) and non encrypted server.
2) If the server has encryption, he can only connect with a viewer with the same key. A non encrypted viewer can't connect with an encrypted server.... this is part of the security.
The jpg show, that viewer has set encryption, but server isn't using it...
You can easy verify it on the viewer.
Select dsm plugin, click config... then he tell if the key is found or not.
Check if the server is realy encrypted.... you can always redownload the 108 viewer to check it with the old version.
1) If you set encryption on the viewer, he can connect with a encrypted
(same key) and non encrypted server.
2) If the server has encryption, he can only connect with a viewer with the same key. A non encrypted viewer can't connect with an encrypted server.... this is part of the security.
The jpg show, that viewer has set encryption, but server isn't using it...
You can easy verify it on the viewer.
Select dsm plugin, click config... then he tell if the key is found or not.
Check if the server is realy encrypted.... you can always redownload the 108 viewer to check it with the old version.
Last edited by Rudi De Vos on 2010-09-09 17:27, edited 1 time in total.
-
- 8
- Posts: 14
- Joined: 2010-09-10 14:46
Re: This version is vulnerable to a dll exploit
Please, someone can say me where is the code of the patch? in which module/code is the patch?
I am looking on the source code, but I cannot find any reference or other element that permit to identify the correction;
thank you.
I am looking on the source code, but I cannot find any reference or other element that permit to identify the correction;
thank you.
- Rudi De Vos
- Admin & Developer
- Posts: 6865
- Joined: 2004-04-23 10:21
- Contact:
Re: This version is vulnerable to a dll exploit
330 SetDllDirectory(""); <<<<<<<<<<<<<<<<<<<
331 m_hInstResDLL = LoadLibrary("vnclang.dll"); m_hInstResDLL = LoadLibrary("vnclang.dll");
one line of code to exclude path of .vnc
source was uploaded to svn on sourceforeforge
331 m_hInstResDLL = LoadLibrary("vnclang.dll"); m_hInstResDLL = LoadLibrary("vnclang.dll");
one line of code to exclude path of .vnc
source was uploaded to svn on sourceforeforge
Last edited by Rudi De Vos on 2010-09-10 23:03, edited 1 time in total.
Re: This version is vulnerable to a dll exploit
Thats what I did. After extracting the two files from the patch the connection from the UltraVNC Single Click program is always unencrypted.Rudi De Vos wrote:Check if the server is realy encrypted.... you can always redownload the 108 viewer to check it with the old version.
Without applying the patch on the server the connection is always encrypted.
Any idea?
- Rudi De Vos
- Admin & Developer
- Posts: 6865
- Joined: 2004-04-23 10:21
- Contact:
Re: This version is vulnerable to a dll exploit
If you created SC with encryption plugin and key then only a viewer with encryption and the same key can connect.
If you can connect with an unencrypted viewer to an encrypted server there is a real security issue. This should never be possible.
Does the viewer fail to connect ?
-the server doesn't encrypt anything, and the old version didn't showed the message "not encrypted"
-the new viewer encrypt, but show wrong message
Can you test:
If you are using 108, without encryption (old viewer)
C:\Program Files\UltraVNC\vncviewer.exe" -listen 5500
Can the SC connect ?
Else you need to mail me the SC so i can veirfy if the data is realy encrypted.
If you can connect with an unencrypted viewer to an encrypted server there is a real security issue. This should never be possible.
Does the viewer fail to connect ?
-the server doesn't encrypt anything, and the old version didn't showed the message "not encrypted"
-the new viewer encrypt, but show wrong message
Can you test:
If you are using 108, without encryption (old viewer)
C:\Program Files\UltraVNC\vncviewer.exe" -listen 5500
Can the SC connect ?
Else you need to mail me the SC so i can veirfy if the data is realy encrypted.