This version is vulnerable to a dll exploit

[g3k]

Hello,

I registered on this forum to specifically disclose that release 1.0.6.x is vulnerable to a specific problem relating to the way Ultra VNC handles the loading of external libraries when opening filetypes related to the program. In this case, when opening .vnc files, version 1.0.6.x will attempt to open up any and all external dlls located in the source folder of the file. An attacker can supply a malicious dll at this point and quickly take control of the system. I was using Windows Vista as my Windows version, but this vulnerability will work on any version of Windows in existence.

Here is a post from the researcher that discovered and publicized this: http://blog.metasploit.com/2010/08/expl ... flaws.html

Here is the MS Security Advisory:
https://www.microsoft.com/technet/secur ... 69637.mspx

If you have any questions, feel free to reply to this post or email me. If you feel this post needs to be deleted, I don't care. You guys did not have a support contact email. Also your forums send users their passwords in cleartext in the activation email. Shame on you for that.

-g3k

[Rudi De Vos]

Update available for
Viewer Security Advisory (2269637)(w32/x64)

http://www.uvnc.com

[g3k]

I'm glad you guys took this seriously and you were able to come up with a solution to this problem in such short time.

If you need to get in touch with me, PM me here and I will give you my contact email. I will be deleting this account in a few days.

[grizzly]

Hi everyone,

I'm having a problem with this security update. After applying it (extracting to my UltraVNC folder) my VNC sessions are not encrypted anymore.

When using a fresh UlraVNC 1.0.8.2 installation with my rc4.key I can see the following connection info screen:



After applying the security update (extracting the new vncviewer.exe and vncviewer_64.exe) my VNC connections are not encrypted anymore. I get the following connection info screen:



I use MSRC4Plugin.dsm, server is running in listening mode. When a user connectes with the Single-Click program the connection is not encrypted anymore.
Without applying the security update VNC sessions are encrypted.

The Single-Click program remains unchanged during both sessions. The only thing that is different is the security update.

Anybody else who has this problem?
Do you know how to get encrypted sessions again?


Thank you very much for your help.

[Rudi De Vos]

The patch limit the search path for dll and key...

Are you using a .vnc to start the viewer.

WHere is the encryption dll/key installed.. path ?

[grizzly]

The patch limit the search path for dll and key...

Are you using a .vnc to start the viewer.

I start the server using

Code: Select all

"C:\Program Files\UltraVNC\vncviewer.exe" -dsmplugin msrc4plugin.dsm -listen 5500

I do not use a .vnc-file.

WHere is the encryption dll/key installed.. path ?

If the encryption dll is the MSRC4Plugin.dsm then its in C:\Program Files\UltraVNC\ as well as C:\Program Files\UltraVNC\Plugins. The rc4.key is in C:\Program Files\UltraVNC\.

[Rudi De Vos]

I need to verify this...with procmon utility.

If you have time, you can also check it yourself...

download procmon
http://technet.microsoft.com/en-us/sysi ... 96645.aspx

The createfile in procmon show all the paths used to search for the key.

The encryption plugin is found, else it wouldn't be shown in the viewer gui...but there seems to be a problem with the key location.

Possible placing the key in windows/system32 will work..

[grizzly]

If you have time, you can also check it yourself...
[...]
The createfile in procmon show all the paths used to search for the key.

The encryption plugin is found, else it wouldn't be shown in the viewer gui...but there seems to be a problem with the key location.

Procmon shows createfile entries with many directories including the one where rc4.key is located ("C:\Program Files\UltraVNC").

Possible placing the key in windows/system32 will work..

I tried that one too but the session is still not encrypted.

I will post the output of procmon a little later. Do you have any other suggestions in the meantime?

Thanks for your fast reply.

[Rudi De Vos]

It looks to me that your server isn't using encryption.

1) If you set encryption on the viewer, he can connect with a encrypted
(same key) and non encrypted server.
2) If the server has encryption, he can only connect with a viewer with the same key. A non encrypted viewer can't connect with an encrypted server.... this is part of the security.

The jpg show, that viewer has set encryption, but server isn't using it...

You can easy verify it on the viewer.
Select dsm plugin, click config... then he tell if the key is found or not.

Check if the server is realy encrypted.... you can always redownload the 108 viewer to check it with the old version.

[splintercode]

Please, someone can say me where is the code of the patch? in which module/code is the patch?

I am looking on the source code, but I cannot find any reference or other element that permit to identify the correction;

thank you.

[Rudi De Vos]

330 SetDllDirectory(""); <<<<<<<<<<<<<<<<<<<
331 m_hInstResDLL = LoadLibrary("vnclang.dll"); m_hInstResDLL = LoadLibrary("vnclang.dll");

one line of code to exclude path of .vnc

source was uploaded to svn on sourceforeforge

[grizzly]

Check if the server is realy encrypted.... you can always redownload the 108 viewer to check it with the old version.

Thats what I did. After extracting the two files from the patch the connection from the UltraVNC Single Click program is always unencrypted.
Without applying the patch on the server the connection is always encrypted.

Any idea?

[Rudi De Vos]

If you created SC with encryption plugin and key then only a viewer with encryption and the same key can connect.

If you can connect with an unencrypted viewer to an encrypted server there is a real security issue. This should never be possible.

Does the viewer fail to connect ?

-the server doesn't encrypt anything, and the old version didn't showed the message "not encrypted"
-the new viewer encrypt, but show wrong message

Can you test:
If you are using 108, without encryption (old viewer)
C:\Program Files\UltraVNC\vncviewer.exe" -listen 5500
Can the SC connect ?

Else you need to mail me the SC so i can veirfy if the data is realy encrypted.