Patches for TightVNC and/or VNC (fwd)

Ivan Popov pin "at" math.chalmers.se
Thu, 21 Mar 2002 15:16:33 +0000


It looks like my cc: did not make it to the list... I believe it
belongs here, too. Sorry for double traffic for those on both lists... :(

--
Ivan

---------- Forwarded message ----------
Date: Wed, 20 Mar 2002 14:38:01 +0100 (MET)
From: Ivan Popov <pin "at" cs.chalmers.se>
To: vnc-tight-list "at" lists.sourceforge.net
Cc: vnc-list "at" uk.research.att.com, Constantin Kaplinsky <const "at" ce.cctpu.edu.ru>
Subject: Patches for TightVNC and/or VNC

I wrote some time ago:

> >Unfortunately Constantin has no access to Sparc hardware and cannot verify
> >my patch or his own fix either, that may cause some extra delay.

Looking at TightVNC Unix Changelog at www.tightvnc.com, I don't see any
changes since November 2001. I see also that most of the traffic on
vnc-tight-list concerns Windows (looking at the archives, I am not on the
list).

It makes the impression that Constantin - surely for good reasons - has
abandoned development of the Unix version (Constantin, correct me if I'm
wrong).

For those using vnc on distributed filesystems I have to warn that the
default configuration of the tools is essentially insecure, in some real
scenarios opening access to your session to the whole world.
Exploitation in such cases is trivial even for script-kiddies.

It is not a problem with the protocol or the implementation, it is just
wrong defaults (assuming a local home filesystem) built into the software
that are so dangerous.

I hope Constantin will either find resources to fix the Unix version, or
delegate that part of the project to another volunteer (well, may be not
easy to find, I would not volunteer myself!).

I do not think independent patches flying around are a good solution for
the project. But anyway -

as my patches are not much longer than the letter itself, I include them
here. Please accept my apologies for "spamming" if you have no use for
them. For somebody deciding to merge these patches into a mainstream
source, I can explain the hidden problems the changes solve.

some non-intel architectures workaround patch:
===============================================================================
*** Xvnc/programs/Xserver/hw/vnc/rfbserver.c.ori	Fri Nov 30 22:39:13 2001
--- Xvnc/programs/Xserver/hw/vnc/rfbserver.c	Sat Dec  1 00:07:27 2001
***************
*** 1164,1169 ****
--- 1164,1173 ----
      cl->rfbBytesSent[rfbEncodingRaw]
  	+= sz_rfbFramebufferUpdateRectHeader + bytesPerLine * h;

+ /*FIXME (pin) - this is a workaround for bad alignment in translation functions*/
+ /*        where char* is casted to and used as int* - breaks on Sun Sparc*/
+     rfbSendUpdateBuf(cl);
+ /*FIXME end*/
      nlines = (UPDATE_BUF_SIZE - ublen) / bytesPerLine;

      while (TRUE) {
===============================================================================

Security-related changes:
===============================================================================
*** vncpasswd/vncpasswd.c.ori	Fri Nov 30 15:20:31 2001
--- vncpasswd/vncpasswd.c	Fri Nov 30 15:53:07 2001
***************
*** 42,63 ****
    char *home_env;
    char *passwd;
    char *passwd1;
-   char passwdDir[256];
    char passwdFile[256];
    int i;

    if (argc == 1) {
!     home_env = getenv("HOME");
!     if (home_env == NULL) {
!       fprintf(stderr,"Error: no HOME environment variable\n");
        exit(1);
      }
!     if (strlen(home_env) > 240) {
!       fprintf(stderr,"Error: HOME environment variable string too long\n");
!       exit(1);
!     }
!     sprintf(passwdDir, "%s/.vnc", home_env);
!     sprintf(passwdFile, "%s/passwd", passwdDir);

    } else if (argc == 2) {
      strcpy(passwdFile,argv[1]);
--- 42,70 ----
    char *home_env;
    char *passwd;
    char *passwd1;
    char passwdFile[256];
    int i;
+   struct stat stbuf;

    if (argc == 1) {
!       if (getenv("USER") == NULL) {
!           fprintf(stderr,"Error: no USER environment variable\n");
        exit(1);
      }
! /* sanity check so that we do not write password into a hazardous place */
!       sprintf(passwdFile,"/tmp/%s-local",getenv("USER"));
!       if( lstat( passwdFile, &stbuf ) != 0 ){
!           fprintf(stderr,"Error: no vnc directory %s\n", passwdFile);
!           exit(1);
!       }
!       if( stbuf.st_uid != getuid()
!        || !S_ISDIR(stbuf.st_mode)
!        || ((S_IRWXG|S_IRWXO) & stbuf.st_mode) ){
!           fprintf(stderr,"Error: bad access modes on %s\n", passwdFile);
!           exit(1);
!       }
! /* sanity check passed ok */
!       sprintf(passwdFile,"/tmp/%s-local/passwd",getenv("USER"));

    } else if (argc == 2) {
      strcpy(passwdFile,argv[1]);
***************
*** 88,106 ****
      }

      if (strcmp(passwd1, passwd) == 0) {
-       if (mkdir (passwdDir, (S_IRWXU | S_IRGRP | S_IXGRP |
- 			     S_IROTH | S_IXOTH)) == -1 &&
- 	  errno != EEXIST) {
- 	perror ("~/.vnc");
- 	exit (1);
-       }
        if (vncEncryptAndStorePasswd(passwd, passwdFile) != 0) {
  	fprintf(stderr,"Cannot write password file %s\n",passwdFile);
  	exit(1);
        }
        for (i = 0; i < strlen(passwd); i++)
  	passwd[i] = passwd1[i] = '\0';
!       return;
      }

      fprintf(stderr,"They don't match. Try again.\n\n");
--- 95,107 ----
      }

      if (strcmp(passwd1, passwd) == 0) {
        if (vncEncryptAndStorePasswd(passwd, passwdFile) != 0) {
  	fprintf(stderr,"Cannot write password file %s\n",passwdFile);
  	exit(1);
        }
        for (i = 0; i < strlen(passwd); i++)
  	passwd[i] = passwd1[i] = '\0';
!       return 0;
      }

      fprintf(stderr,"They don't match. Try again.\n\n");
===============================================================================
*** vncserver.ori	Fri Nov 30 11:25:57 2001
--- vncserver	Fri Nov 30 15:58:16 2001
***************
*** 35,48 ****
  $geometry = "1024x768";
  $depth = 8;
  $desktopName = "X";
  $vncClasses = "/usr/local/vnc/classes";
! $vncUserDir = "$ENV{HOME}/.vnc";
! unless ($xauthorityFile = "$ENV{XAUTHORITY}") {
!   $xauthorityFile = "$ENV{HOME}/.Xauthority";
! }
!
  $defaultXStartup
      = ("#!/bin/sh\n\n".
         "xrdb \$HOME/.Xresources\n".
         "xsetroot -solid grey\n".
         "xterm -geometry 80x24+10+10 -ls -title \"\$VNCDESKTOP Desktop\" &\n".
--- 35,59 ----
  $geometry = "1024x768";
  $depth = 8;
  $desktopName = "X";
  $vncClasses = "/usr/local/vnc/classes";
! $vncUserDir = "/tmp/$ENV{USER}-local";
! #unless ($xauthorityFile = "$ENV{XAUTHORITY}") {
! #  $xauthorityFile = "$ENV{HOME}/.Xauthority";
! #}
! $xauthorityFile = "$vncUserDir/.Xauthority";
!
! #$defaultXStartup
! #    = ("#!/bin/sh\n\n".
! #       "xrdb \$HOME/.Xresources\n".
! #       "xsetroot -solid grey\n".
! #       "xterm -geometry 80x24+10+10 -ls -title \"\$VNCDESKTOP Desktop\" &\n".
! #       "twm &\n");
  $defaultXStartup
      = ("#!/bin/sh\n\n".
+        "XAUTHORITY=$xauthorityFile; export XAUTHORITY\n".
+        "if [ -x \$HOME/.vncxsession ]; then\n".
+        "  exec \$HOME/.vncxsession\n".
+        "fi\n".
         "xrdb \$HOME/.Xresources\n".
         "xsetroot -solid grey\n".
         "xterm -geometry 80x24+10+10 -ls -title \"\$VNCDESKTOP Desktop\" &\n".
***************
*** 85,94 ****
  # Create the user's vnc directory if necessary.

  if (!(-e $vncUserDir)) {
!     if (!mkdir($vncUserDir,0755)) {
  	die "$prog: Could not create $vncUserDir.\n";
      }
  }

  # Make sure the user has a password.

--- 96,111 ----
  # Create the user's vnc directory if necessary.

  if (!(-e $vncUserDir)) {
!     if (!mkdir($vncUserDir,0700)) {
  	die "$prog: Could not create $vncUserDir.\n";
      }
  }
+ if (!(($d,$i,$m)=lstat($vncUserDir)) ||
+     !-d _ ||
+     !-o _ ||
+     (($m&0777) != 0700)) {
+     die "$prog: Wrong type or access modes: $vncUserDir.\n";
+ }

  # Make sure the user has a password.

===============================================================================

Best regards,
--
Ivan
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------