NSFOCUS绿盟科技

首页 -> 安全研究

安全研究

安全漏洞

TightVNC Server验证Cookie可预测漏洞

发布日期：2002-11-15
更新日期：2003-03-03

受影响系统：

AT&T VNC 3.3.6
AT&T VNC 3.3.5
AT&T VNC 3.3.4
AT&T VNC 3.3.3R2
TightVNC TightVNC 1.2.5
TightVNC TightVNC 1.2.4
TightVNC TightVNC 1.2.3
TightVNC TightVNC 1.2.1
TightVNC TightVNC 1.2.0
AT&T VNC 3.3.3
    - Apple MacOS 9.0
    - BSDI BSD/OS 4.0
    - Conectiva Linux graficas
    - Conectiva Linux ecommerce
    - Conectiva Linux 6.0
    - Debian Linux 2.2
    - FreeBSD 4.2
    - HP HP-UX 11.11
    - Mandrake Linux 7.2
    - Microsoft Windows NT 4.0
    - Microsoft Windows 98 SE
    - Microsoft Windows 2000
    - OpenBSD 2.8
    - OpenBSD 2.0
    - RedHat Linux 7.0
    - Sun Solaris 8.0
    - Sun Solaris 7.0
    - SuSE Linux 7.0

不受影响系统：

TightVNC TightVNC 1.2.7
TightVNC TightVNC 1.2.6

描述：

BUGTRAQ  ID: 6905
CVE(CAN) ID: CVE-2002-1511

TightVNC是一款由Constantin Kaplinsky分发和维护的VNC(Virtual Network Computing)软件，用于远程图形化的连接访问，可使用在Microsoft Windows及各种Unix类操作系统下。

TightVNC使用不强壮的方式来生成随机X服务器验证Cookie，远程攻击者可以利用这个漏洞猜测验证Cookie，未授权访问X服务器。

VNC服务器作为X服务器的时候，启动此VNC的脚本生成MIT X Cookie(用于X验证)没有使用强壮的随机号码生成器，这可导致攻击者可以轻易猜测验证Cookie。

VNC DES验证即使使用'challenge-response'方式实现，对每个验证的尝试产生随机和不同的'挑战'，但是由于某个函数中的一个设计错误，生成的随机'挑战'采用每次验证尝试的当前时间作为随机种子，因此两个在同一秒的验证尝试可导致接收相同的'挑战'，通过网络嗅探和猜测可以未授权用户访问VNC服务器。

<*来源：TightVNC （http://prdownloads.sourceforge.net/vnc-tight）

  链接：http://www.linux-mandrake.com/en/security/2003/2003-022.php
        https://www.redhat.com/support/errata/RHSA-2003-041.html
*>

建议：

厂商补丁：

MandrakeSoft
------------
MandrakeSoft已经为此发布了一个安全公告（MDKSA-2003:022）以及相应补丁:
MDKSA-2003:022：Updated vnc packages fix cookie vulnerability
链接：http://www.linux-mandrake.com/en/security/2003/2003-022.php

补丁下载：

Updated Packages:

Linux-Mandrake 7.2:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/RPMS/vnc-3.3.3-8.4mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/RPMS/vnc-SVGALIB-3.3.3-8.4mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/RPMS/vnc-doc-3.3.3-8.4mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/RPMS/vnc-java-3.3.3-8.4mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/RPMS/vnc-server-3.3.3-8.4mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/SRPMS/vnc-3.3.3-8.4mdk.src.rpm

Mandrake Linux 8.0:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.0/RPMS/vnc-3.3.3r2-9.3mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.0/RPMS/vnc-doc-3.3.3r2-9.3mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.0/RPMS/vnc-server-3.3.3r2-9.3mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.0/SRPMS/vnc-3.3.3r2-9.3mdk.src.rpm

Mandrake Linux 8.0/PPC:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.0/RPMS/vnc-3.3.3r2-9.3mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.0/RPMS/vnc-doc-3.3.3r2-9.3mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.0/RPMS/vnc-server-3.3.3r2-9.3mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.0/SRPMS/vnc-3.3.3r2-9.3mdk.src.rpm

Mandrake Linux 8.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/RPMS/vnc-3.3.3r2-9.3mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/RPMS/vnc-doc-3.3.3r2-9.3mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/RPMS/vnc-server-3.3.3r2-9.3mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/SRPMS/vnc-3.3.3r2-9.3mdk.src.rpm

Mandrake Linux 8.2:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/vnc-3.3.3r2-9.3mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/vnc-doc-3.3.3r2-9.3mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/vnc-server-3.3.3r2-9.3mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/SRPMS/vnc-3.3.3r2-9.3mdk.src.rpm

Mandrake Linux 8.2/PPC:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/vnc-3.3.3r2-9.3mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/vnc-doc-3.3.3r2-9.3mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/vnc-server-3.3.3r2-9.3mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/SRPMS/vnc-3.3.3r2-9.3mdk.src.rpm

Mandrake Linux 9.0:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/tightvnc-1.2.5-2.3mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/tightvnc-doc-1.2.5-2.3mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/tightvnc-server-1.2.5-2.3mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/SRPMS/tightvnc-1.2.5-2.3mdk.src.rpm

上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载：
http://www.mandrakesecure.net/en/ftp.php

RedHat
------
RedHat已经为此发布了一个安全公告（RHSA-2003:041-12）以及相应补丁:
RHSA-2003:041-12：Updated VNC packages fix replay and cookie vulnerabilities
链接：https://www.redhat.com/support/errata/RHSA-2003-041.html

补丁下载：

Red Hat Linux 7.0:

SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/vnc-3.3.3r2-18.6.src.rpm

i386:
ftp://updates.redhat.com/7.0/en/os/i386/vnc-3.3.3r2-18.6.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/vnc-server-3.3.3r2-18.6.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/vnc-doc-3.3.3r2-18.6.i386.rpm

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/vnc-3.3.3r2-18.6.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/vnc-3.3.3r2-18.6.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/vnc-server-3.3.3r2-18.6.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/vnc-doc-3.3.3r2-18.6.i386.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/vnc-3.3.3r2-18.6.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/vnc-3.3.3r2-18.6.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/vnc-server-3.3.3r2-18.6.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/vnc-doc-3.3.3r2-18.6.i386.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/vnc-3.3.3r2-28.2.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/vnc-3.3.3r2-28.2.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/vnc-server-3.3.3r2-28.2.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/vnc-doc-3.3.3r2-28.2.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/vnc-3.3.3r2-39.2.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/vnc-3.3.3r2-39.2.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/vnc-server-3.3.3r2-39.2.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/vnc-doc-3.3.3r2-39.2.i386.rpm
可使用下列命令安装补丁：

rpm -Fvh [文件名]

浏览次数：4373
严重程度：0（网友投票）

本安全漏洞由绿盟科技翻译整理，版权所有，未经许可，不得转载
绿盟科技给您安全的保障

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客