After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 641811 - vino-server Denial of Service bug
vino-server Denial of Service bug
Status: RESOLVED FIXED
Product: vino
Classification: Applications
Component: Server
2.32.x
Other Linux
: Normal normal
: ---
Assigned To: Vino Maintainer(s)
Vino Maintainer(s)
: 616434 693608 707905 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2011-02-08 07:54 UTC by Kevin
Modified: 2013-09-16 19:23 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
pcap file, original binary and a screen shot (506.08 KB, application/x-gzip)
2011-02-08 07:54 UTC, Kevin
Details

Description Kevin 2011-02-08 07:54:57 UTC
Created attachment 180371 [details]
pcap file, original binary and a screen shot

Summary
=======
Program: vino-server (vino 2.32.1 and 2.26.1)
Type: Denial of Service
Impact: Low

Authors
=======
The Bitblaze group at UC Berkeley.
http://bitblaze.cs.berkeley.edu/


Description
===========
The vino_server_client_data_pending function in vino-server.c in vino-server of Vino 2.26.1 and
2.32.1 (the latest release) allows remote attackers to trigger an
Denial of Service through infinite loop.


Platforms affected
==================
The bug has been tested on a Ubuntu 9.04 platform using both Vino 2.26.1 and
Vino 2.32.1, the latter one is the latest version of the program. Other
versions between these two releases could similarly be affected.

Vulnerable function
===================
In process: vino-server
Function backtrace stack (in vino 2.26.1):

  • #0 __kernel_vsyscall
  • #1 __xstat64
    from /lib/tls/i686/cmov/libc.so.6
  • #2 ??
    from /lib/tls/i686/cmov/libc.so.6
  • #3 ??
    from /lib/tls/i686/cmov/libc.so.6
  • #4 ??
    from /lib/tls/i686/cmov/libc.so.6
  • #5 localtime
    from /lib/tls/i686/cmov/libc.so.6
  • #6 rfbDefaultLog
    at main.c line 67
  • #7 rfbProcessClientMessage
    at rfbserver.c line 390
  • #8 vino_server_client_data_pending
    at vino-server.c line 415
  • #9 ??
    from /usr/lib/libglib-2.0.so.0
  • #10 g_main_context_dispatch
    from /usr/lib/libglib-2.0.so.0
  • #11 ??
    from /usr/lib/libglib-2.0.so.0
  • #12 g_main_loop_run
    from /usr/lib/libglib-2.0.so.0
  • #13 gtk_main
    from /usr/lib/libgtk-x11-2.0.so.0
  • #14 main
    at vino-main.c line 110


Impact
======
Impact: Low

Reproducible
============
Yes, the bug is reproducible. And the pcap file is as attached.


Vulnerability description
=========================

This vulnerability is triggered when the user is required to enter a password.
The server closes the client connection on receiving an unexpected input sequence from the client.

The unprocessed client data remains in the buffer; the server does not remove them from buffer since the client connection has been closed.
The result is an infinite loop at the do-while (more_data_pending (rfb_client->sock)) in vino-server.c:415
The gdm and vino-server processes together take up 100% CPU, causing denial of service (see screenshot).
In our tests, the DOS is triggered when the same input sequence is replayed twice (see pcap).

vino-server.c:415 (vino 2.26.1):
407:vino_server_client_data_pending (GIOChannel   *source,
408:                             GIOCondition  condition,
409:                             rfbClientPtr  rfb_client)
410:{
411:  if (rfb_client->onHold)
412:    return TRUE;
414:  do {
415:    rfbProcessClientMessage (rfb_client);
416:  } while (more_data_pending (rfb_client->sock));

The original 2.26.1 binary, pcap and screenshot are attached with this email.
Comment 1 David King 2011-03-14 19:31:08 UTC
*** Bug 616434 has been marked as a duplicate of this bug. ***
Comment 2 David King 2013-09-12 09:34:37 UTC
*** Bug 707905 has been marked as a duplicate of this bug. ***
Comment 3 David King 2013-09-12 09:34:58 UTC
*** Bug 693608 has been marked as a duplicate of this bug. ***
Comment 4 David King 2013-09-12 09:37:13 UTC
I pushed the fix from bug 707905 to gnome-3-8 and master as commit 51435d3f946d6d2b99b876b7919b9d41022fc408 and 
commit 860337231eaccfeed4f857afd0579546a260c23f, respectively.
Comment 5 David King 2013-09-16 19:23:58 UTC
According to Robert Foggia of TrustWave/SpiderLabs a CVE has been assigned and it is CVE-2013-5745.