GNOME Bugzilla – Bug 641811
vino-server Denial of Service bug
Last modified: 2013-09-16 19:23:58 UTC
Created attachment 180371 [details] pcap file, original binary and a screen shot Summary ======= Program: vino-server (vino 2.32.1 and 2.26.1) Type: Denial of Service Impact: Low Authors ======= The Bitblaze group at UC Berkeley. http://bitblaze.cs.berkeley.edu/ Description =========== The vino_server_client_data_pending function in vino-server.c in vino-server of Vino 2.26.1 and 2.32.1 (the latest release) allows remote attackers to trigger an Denial of Service through infinite loop. Platforms affected ================== The bug has been tested on a Ubuntu 9.04 platform using both Vino 2.26.1 and Vino 2.32.1, the latter one is the latest version of the program. Other versions between these two releases could similarly be affected. Vulnerable function =================== In process: vino-server Function backtrace stack (in vino 2.26.1):
+ Trace 225888
Impact ====== Impact: Low Reproducible ============ Yes, the bug is reproducible. And the pcap file is as attached. Vulnerability description ========================= This vulnerability is triggered when the user is required to enter a password. The server closes the client connection on receiving an unexpected input sequence from the client. The unprocessed client data remains in the buffer; the server does not remove them from buffer since the client connection has been closed. The result is an infinite loop at the do-while (more_data_pending (rfb_client->sock)) in vino-server.c:415 The gdm and vino-server processes together take up 100% CPU, causing denial of service (see screenshot). In our tests, the DOS is triggered when the same input sequence is replayed twice (see pcap). vino-server.c:415 (vino 2.26.1): 407:vino_server_client_data_pending (GIOChannel *source, 408: GIOCondition condition, 409: rfbClientPtr rfb_client) 410:{ 411: if (rfb_client->onHold) 412: return TRUE; 414: do { 415: rfbProcessClientMessage (rfb_client); 416: } while (more_data_pending (rfb_client->sock)); The original 2.26.1 binary, pcap and screenshot are attached with this email.
*** Bug 616434 has been marked as a duplicate of this bug. ***
*** Bug 707905 has been marked as a duplicate of this bug. ***
*** Bug 693608 has been marked as a duplicate of this bug. ***
I pushed the fix from bug 707905 to gnome-3-8 and master as commit 51435d3f946d6d2b99b876b7919b9d41022fc408 and commit 860337231eaccfeed4f857afd0579546a260c23f, respectively.
According to Robert Foggia of TrustWave/SpiderLabs a CVE has been assigned and it is CVE-2013-5745.