20 Eylül 2012 Perşembe

Blinded w/ VNC Viewer vulns.

Well, a few things to report here in the blackbl0gs. Firstly, I've spent the past few days looking into/writing exploits for these recent VNC viewer vulns in the RFB protocol. The first vulnerability affects Real VNC viewer <=4.1.2 (CVE-2008-4770). This vulnerability is triggered when incorrect information is passed to CMsgReader::readRect() which can lead to an integer underflow in allocation space. The remaining data in the packet following the allocation size is then copied into the buffer allocated on the stack leading to an SEH overwrite. The second vulnerability which were currently looking into accurately exploiting is a vulnerability in TightVNC <=1.3.9 (CVE-2009-0388). In this vulnerability malicious data can be passed to a Tvnc subfunction in which a null byte overwrite can be triggered via a integer over/underflow @ HeapPointer + ControllableValue. Lotsa fun other hacks going in the priv8 arena.

ttfn, -xort

Hiç yorum yok:

Yorum Gönder