From Yaniv Kaul:

VNC dissector fails to dissect properly the authentication used by the older VNC protocol. Specifically, the part about version 3.3 in section 6.2 of the protocol was ignored / not properly implemented. svn path=/trunk/; revision=31250
author: Jaap Keuter <jaap.keuter@xs4all.nl> 2009-12-12 08:39:38 +0000
committer: Jaap Keuter <jaap.keuter@xs4all.nl> 2009-12-12 08:39:38 +0000
commit: 98aaf48d95d8cfa2a98fb5c08cac76e8ac6d3345 (patch)
tree: c39edc42c45b409c99e1e9c52da2e6b29022bcce
parent: a4b7135ce3fa8362edf75804da448a362311e1b8 (diff)
1 files changed, 45 insertions, 22 deletions
diff --git a/epan/dissectors/packet-vnc.c b/epan/dissectors/packet-vnc.c
index e55a4eee6d..391ce271de 100644
--- a/epan/dissectors/packet-vnc.c
+++ b/epan/dissectors/packet-vnc.c
@@ -59,20 +59,6 @@
 #include "packet-x11-keysym.h" /* This contains the X11 value_string
 				* "keysym_vals_source" that VNC also uses. */
 
-
-static const value_string security_types_vs[] = {
-	{ 0,  "Invalid"  },
-	{ 1,  "None"     },
-	{ 2,  "VNC"      },
-	{ 5,  "RA2"      },
-	{ 6,  "RA2ne"    },
-	{ 16, "Tight"    },
-	{ 17, "Ultra"    },
-	{ 18, "TLS"      },
-	{ 19, "VeNCrypt" },
-	{ 0,  NULL       }
-};
-
 typedef enum {
 	INVALID  = 0,
 	NONE     = 1,
@@ -85,6 +71,19 @@ typedef enum {
 	VENCRYPT = 19
 } security_types_e;
 
+static const value_string security_types_vs[] = {
+	{ INVALID,  "Invalid"  },
+	{ NONE,  "None"     },
+	{ VNC,  "VNC"      },
+	{ RA2,  "RA2"      },
+	{ RA2ne,  "RA2ne"    },
+	{ TIGHT, "Tight"    },
+	{ ULTRA, "Ultra"    },
+	{ TLS, "TLS"      },
+	{ VENCRYPT, "VeNCrypt" },
+	{ 0,  NULL       }
+};
+
 static const value_string auth_result_vs[] = {
 	{ 0, "OK"     },
 	{ 1, "Failed" },
@@ -547,6 +546,7 @@ dissect_vnc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 		per_conversation_info = se_alloc(sizeof(vnc_conversation_t));
 		
 		per_conversation_info->vnc_next_state = SERVER_VERSION;
+		per_conversation_info->security_type_selected = INVALID;
 
       		conversation_add_proto_data(conversation, proto_vnc,
 					    per_conversation_info);
@@ -752,15 +752,37 @@ vnc_startup_messages(tvbuff_t *tvb, packet_info *pinfo, gint offset,
 						offset, 1, FALSE);
 				}
 			}
+			per_conversation_info->vnc_next_state =	SECURITY_TYPES;	
 		} else {
 			/* Version < 3.007: The server decides the
 			 * authentication type for us to use */
 			proto_tree_add_item(tree,
 				hf_vnc_server_security_type, tvb,
 				offset, 4, FALSE);
+			/* The cast below is possible since in older versions of the protocol the only possible values are 0,1,2 */
+			per_conversation_info->security_type_selected = (guint8)tvb_get_ntohl(tvb, offset);
+			switch(per_conversation_info->security_type_selected) {
+
+			case INVALID:
+				/* TODO: In this case (INVALID) the connection has failed */
+				/* and there should be an error string describing the error */
+				per_conversation_info->vnc_next_state = SECURITY_TYPES;
+				break;
+
+			case NONE:
+				per_conversation_info->vnc_next_state = CLIENT_INIT;
+				break;
+
+			case VNC:
+				per_conversation_info->vnc_next_state = VNC_AUTHENTICATION_CHALLENGE;
+				break;
+
+			default:
+				/* Security type not supported by this dissector */
+				break;
+			}
 		}
 
-		per_conversation_info->vnc_next_state =	SECURITY_TYPES;
 		break;
 
 	case SECURITY_TYPES :
@@ -769,10 +791,10 @@ vnc_startup_messages(tvbuff_t *tvb, packet_info *pinfo, gint offset,
 							offset, 1, FALSE);
 		per_conversation_info->security_type_selected =
 			tvb_get_guint8(tvb, offset);
-	
+
 		switch(per_conversation_info->security_type_selected) {
 
-		case 1 : /* None */
+		case NONE :
 			if(per_conversation_info->client_proto_ver >= 3.008)
 				per_conversation_info->vnc_next_state =
 					SECURITY_RESULT;
@@ -782,15 +804,16 @@ vnc_startup_messages(tvbuff_t *tvb, packet_info *pinfo, gint offset,
 
 			break;
 
-		case 2 : /* VNC */
+		case VNC :
 			per_conversation_info->vnc_next_state =
 				VNC_AUTHENTICATION_CHALLENGE;
 			break;
 
-		case 16 : /* Tight */
+		case TIGHT :
 			per_conversation_info->vnc_next_state =
 				TIGHT_TUNNELING_CAPABILITIES;
-			
+			break;
+
 		default :
 			/* Security type not supported by this dissector */
 			break;
@@ -2449,12 +2472,12 @@ proto_register_vnc(void)
 		},
 		{ &hf_vnc_auth_challenge,
 		  { "Authentication challenge", "vnc.auth_challenge",
-		    FT_STRING, BASE_NONE, NULL, 0x0,
+		    FT_BYTES, BASE_NONE, NULL, 0x0,
 		    "Random authentication challenge from server to client", HFILL }
 		},
 		{ &hf_vnc_auth_response,
 		  { "Authentication response", "vnc.auth_response",
-		    FT_STRING, BASE_NONE, NULL, 0x0,
+		    FT_BYTES, BASE_NONE, NULL, 0x0,
 		    "Client's encrypted response to the server's authentication challenge", HFILL }
 		},
 		{ &hf_vnc_auth_result,
author	Jaap Keuter <jaap.keuter@xs4all.nl>	2009-12-12 08:39:38 +0000
committer	Jaap Keuter <jaap.keuter@xs4all.nl>	2009-12-12 08:39:38 +0000
commit	98aaf48d95d8cfa2a98fb5c08cac76e8ac6d3345 (patch)
tree	c39edc42c45b409c99e1e9c52da2e6b29022bcce
parent	a4b7135ce3fa8362edf75804da448a362311e1b8 (diff)