oCERT-2014-007 libvncserver multiple issues
Virtual Network Computing (VNC) is a graphical sharing system based on the Remote Frame Buffer (RFB) protocol.
The LibVNCServer project, an open source library for implementing VNC compliant communication, suffers from a number of bugs that can be potentially exploited with security impact.
Various implementation issues resulting in remote code execution and/or DoS conditions on both the VNC server and client side have been discovered.
- A malicious VNC server can trigger incorrect memory management handling by advertising a large screen size parameter to the VNC client. This would result in multiple memory corruptions and could allow remote code execution on the VNC client.
- A malicious VNC client can trigger multiple DoS conditions on the VNC server by advertising a large screen size, ClientCutText message length and/or a zero scaling factor parameter.
- A malicious VNC client can trigger multiple stack-based buffer overflows by passing a long file and directory names and/or attributes (FileTime) when using the file transfer message feature.
It should be noted that every described issue represents a post-authentication bug, therefore the server side conditions can be anonymously leveraged only if the VNC server is configured to allow unauthenticated sessions.
LibVNCServer <= 0.9.9
Credit: vulnerability report received from Nicolas Ruff of Google Security Team <nruff AT google.com>.
2014-09-05: vulnerability report received
2014-09-16: contacted affected vendors
2014-09-22: contacted additional affected vendors
2014-09-25: advisory release