Vigil@nce: QEMU, Linux KVM, truncation of VNC password
January 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
When the user changes the VNC password via the QEMU console or
Linux Kernel-Based Virtual Machine, it is truncated to 7
characters.
Gravity: 2/4
Consequences: user access/rights
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 30/12/2008
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The QEMU emulator implements VNC for remote administration. Linux
Kernel-Based Virtual Machine contains a copy of QEMU source code.
The do_change_vnc() function of monitor.c changes the VNC
password. The monitor_readline() function reads the new password.
However, this function is called with a limit size of 8 (instead
of 9), which means 7 characters plus the last ’\0’.
When the user changes the VNC password via the QEMU console or
Linux Kernel-Based Virtual Machine, it is thus truncated to 7
characters. A brute force attack is therefore easier.
CHARACTERISTICS
Identifiers: BID-33020, CVE-2008-5714, VIGILANCE-VUL-8363