Adrian Umpleby wrote:
>> The next version of VNCThing (2.3) will be linked with zlib 1.1.4: should be
>> available fairly soon.
>
> Thanks for the info!
>
> (Does that mean v2.2 is potentially vulnerable?)
I doubt it - the bug involves pretty specific circumstances (and depends on
the exact be
On Thu, Mar 14, 2002, Jonathan Morton wrote:
>
>
> A rogue server could ask for a password, send a challenge, and then
> ignore the response and just let you in, and then set up the exploit
> on the viewer.
That is an excellent point. Another way a client would be particularly
vulnerable is
>Sure it's possible to authenticate against a nasty server if they have
>discovered your password.
A rogue server could ask for a password, send a challenge, and then
ignore the response and just let you in, and then set up the exploit
on the viewer. It wouldn't even need to send you through t
Thanks, Andrew - I will do a warning post on the Tier 6 info during the next
few days, since the package I have up includes that.
- Original Message -
From: "Andrew van der Stock" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, 2002-03-14 07:57
Subject:
PS. In the ActiveX control:
100321D0: 17 52 6B 06 23 4E 58 07 43 6F 75 6C 64 20 6E 6F .Rk.#NX.Could
no
100321E0: 74 20 66 69 6E 64 20 6F 72 20 69 6E 69 74 69 61 t find or
initia
100321F0: 6C 69 7A 65 20 63 6F 6D 70 61 74 69 62 6C 65 20 lize
compatible
10032200: 7A 6C 69 62 20 70 6C 75 67 69 6
Alex,
Alex K. Angelopoulos [[EMAIL PROTECTED]] wrote:
> Is there a way I can tell externally whether a VNC implementation
> allows ZLib compression?
If you have Visual Studio, use dumpbin.exe to find out (works on DLLs
and OCXs just fine):
C:\home\ajv\My Projects\vnc_winsrc\winvnc\Debug>dumpbin
I thought it better to ask this question and appear stupid than to not ask
it and actually *remain* stupid.
Is there a way I can tell externally whether a VNC implementation allows
ZLib compression?
the reason I ask is the VNC ActiveX tool I use does not indicate what
compression method it uses,
ld get off my huge arse and finish that. :-) SECSH also solves it,
but it's still being ratified.
Andrew
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Jonathan Morton
Sent: Friday, 15 March 2002 12:03 AM
To: [EMAIL PROTECTED]
Subject: RE: VNC
>The prerequisites required to allow this exploit are:
...or a rogue server that is imitating a known server. Man in the
middle attack is therefore possible.
--
--
from: Jonathan "Chromatix" Morton
mail: [EMAIL PROTECTED] (n
e-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Jonathan Morton
Sent: Thursday, 14 March 2002 9:51 PM
To: [EMAIL PROTECTED]
Subject: RE: VNC zlib Advisory draft 1
If it's only inflate that's faulty, doesn't that exclude all current
VNC servers from the vulne
>Depends on your malloc() implementation. The thing that causes the bug
>to appear is an input stream constructed *just* *so*, and that *is*
>platform independent as the inflate input stream is the same regardless
>of platform. Bad things happen when malloc()/free() from libc is also
>faulty or fa
PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Adrian Umpleby
Sent: Thursday, 14 March 2002 8:14 PM
To: [EMAIL PROTECTED]
Subject: Re: VNC zlib Advisory draft 1
>The next version of VNCThing (2.3) will be linked with zlib 1.1.4:
should be
>available fairly soon.
Thanks for the info!
(Does
>Apple does not seem to have made any comment about Classic Mac OS.
>(Do apps have to include their own zlib if used in Classic, just as
>VNCThing has?)
As far as I can tell, all Classic applications that use Zlib are
statically linked with it, except for a few which include a dynamic
library w
Me again...
>The next version of VNCThing (2.3) will be linked with zlib 1.1.4: should
>be available fairly soon.
Just curious to know if you've also figured out the problem with dragging
when connected to an Xvnc server?
(That's the only thing that's keeping me using VNCDimension at the moment
>The next version of VNCThing (2.3) will be linked with zlib 1.1.4: should be
>available fairly soon.
Thanks for the info!
(Does that mean v2.2 is potentially vulnerable?)
Adrian
-
To unsubscribe, mail [EMAIL PROTECTED] with th
>>Product:ChromiVNC
>>
>>ChromiVNC does not yet implement the Zlib encoding
>>Please remove it from the list
>
>Done.
VNCThing supports zlib encoding, and it looks like the latest (v2.2)
includes v1.1.3 of zlib. I don't know if this particular version of
zlib as compiled on the Ma
Andrew van der Stock wrote:
> If you maintain a version of VNC that includes zlib in the viewer or
> server, please get back to me if you are affected, and what plans you
> have to go to zlib version 1.1.4 or the fixed version of zlib from
> Redhat.
...
> VNCThing for MacOS X (and MacOS platforms
Done.
Andrew
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Jonathan Morton
Sent: Thursday, 14 March 2002 2:25 PM
To: [EMAIL PROTECTED]
Subject: Re: VNC zlib Advisory draft 1
>Product:ChromiVNC
ChromiVNC does not yet implement
>If you maintain a version of VNC that includes zlib in the viewer or
>server, please get back to me if you are affected, and what plans you
>have to go to zlib version 1.1.4 or the fixed version of zlib from
>Redhat.
>Product:ChromiVNC
ChromiVNC does not yet implement the Zlib
19 matches
Mail list logo
