VNC zlib Advisory draft 1

Andrew van der Stock ajv "at" greebo.net
Thu, 14 Mar 2002 02:14:08 +0000


Hi there,

We need to respond to the CERT multiple vendor zlib issue as a "vendor".
I've taken the liberty of preparing an advisory. It's probably better if
everyone who has a server or client and uses zlib to use the same
advisory. Trust me, as a security person I get about 40-80 of these a
day, and it's just easier if all the information is in the one place. 

If you maintain a version of VNC that includes zlib in the viewer or
server, please get back to me if you are affected, and what plans you
have to go to zlib version 1.1.4 or the fixed version of zlib from
Redhat.

Andrew

Ps. The circumstances where this bug can be exploited are fairly low
likelihood.
--------------------------BEGIN INCLUDED TEXT--------------------


             VNC Security Bulletin 

		   Zlib double free issue
                15 March 2002

        Security Bulletin Summary
        -------------------------

Topic:			zlib double free may cause local exploit or
crash

Vendor:                 Multiple vendors

Product:                TightVNC Xvnc, WinVNC 
				Tridia Xvnc, WinVNC 
				ChromiVNC 
				VNCThing
				VNC Viewer for Java
				VNC Viewer for Apple Newton

Operating System:       VNC is portable across multiple vendors
				including Linux, NetBSD, FreeBSD,
Solaris,
				MacOS and all Win32 platforms

Impact:                 Potential root / LOCALSYSTEM compromise
                        Execute arbitrary code/commands

Access Required:        Local, requires existing password

Version:			The following programs link with or are
statically
				linked with zlib and should be upgraded:

				TightVNC 1.2.2 (both Xvnc and WinVNC)
				TridiaVNC 1.5.4
				ChromiVNC v3.4 alpha 5 for MacOS (68k
and PPC platforms)
				VNCThing for MacOS X (and MacOS
platforms with Carbon)
				VNC Viewer for Java
				VNC Viewer and Server for Apple Newton 
				
				XXX: others?
				
Unknown at this time:	Unix: 	IBM AIX 4.3.3 and 5L, "Toolbox for Linux

						applications" (based
upon AT&T?)

				XXX: others?

Not vulnerable:		Unix:		AT&T VNC 3.3.3r2 (current
version)
				Windows: 	AT&T WinVNC 3.3.3r9 for
x86 (current version)
						WinVNC 3.3.3r1 for Alpha
processors
						AT&T WINVNC 3.3.3r2 beta
WinCE
				Geos (Nokia 9000)	VNCGEO10
				OS/2:		VNC Viewer for OS/2 PM
1.00
				PalmOS:	PalmVNC 1.40
				RiscOS:	!VNC (any version)
				VMS:		AT&T VNC VNC333R1VMS011
package

				XXX:		Others?


Fixed in:
				None yet shipped
				

Abstract
========

There is a vulnerability in the decompression algorithm used by the
popular zlib compression library. If an attacker is able to pass a
specially-crafted block of invalid compressed data to a program that
includes zlib, the program's attempt to decompress the crafted data can
cause the zlib routines to corrupt the internal data structures
maintained by malloc.

Various VNC implementations use the affected versions of zlib. This
could lead to execution of arbitrary code under the privilege the user
of the client program utilizing gzip, which is generally the local user
in Unix (which may include root), and the local user or Administrator in
WinNT/2000/XP, or complete control of platforms without a security
architecture (MacOS, Win95 - WinME, WinCE, Newton, etc).

Technical Details
=================

CERT advisory:
http://online.securityfocus.com/advisories/3955


Solutions and Workarounds
=========================

Typically, Unix versions of affected VNC viewers utilize the zlib shared
library, libz.so. Upgrading zlib should remedy most users of Unix
platforms. However, the following versions have been statically linked
against zlib, and will require upgrading when new versions are
available:

TightVNC 1.2.2

A future version will be available shortly to correct this problem.

TridiaVNC 1.4.0

A future version will be available shortly to correct this problem.  

Java viewers and servers rely on the Java Runtime Environment (JRE) and
the client browser being correct. To correct Java problems, please
review the appropriate advisories for Java or your browser for your
platform.

Thanks To
=========


Sites with VNC affected clients and servers
===========================================

Newton:

http://mywebpages.comcast.net/saweyer/newton/vnc.htm



Vendor responses



Revision History
================

	2002-03-15	Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at

XXX: To be advised.

Copyright 2002, Andrew van der Stock et al.  All Rights Reserved.
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------