exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

LibVNCServer 0.9.9 Remote Code Execution / Denial Of Service

LibVNCServer 0.9.9 Remote Code Execution / Denial Of Service
Posted Sep 25, 2014
Authored by Open Source CERT, Nicolas Ruff

LibVNCServer versions 0.9.9 and below suffer from memory management handling, buffer overflow, and denial of service vulnerabilities.

tags | advisory, denial of service, overflow, vulnerability
advisories | CVE-2014-6051, CVE-2014-6052, CVE-2014-6053, CVE-2014-6054, CVE-2014-6055
SHA-256 | 7119467df020792576889e8a01b9e775d65a326b0070c018b47a7524af569c5b

LibVNCServer 0.9.9 Remote Code Execution / Denial Of Service

Change Mirror Download
#2014-007 libvncserver multiple issues

Description:

Virtual Network Computing (VNC) is a graphical sharing system based on the
Remote Frame Buffer (RFB) protocol.

The LibVNCServer project, an open source library for implementing VNC
compliant communication, suffers from a number of bugs that can be potentially
exploited with security impact.

Various implementation issues resulting in remote code execution and/or DoS
conditions on both the VNC server and client side have been discovered.

1. A malicious VNC server can trigger incorrect memory management
handling by advertising a large screen size parameter to the VNC
client. This would result in multiple memory corruptions and could
allow remote code execution on the VNC client.

2. A malicious VNC client can trigger multiple DoS conditions on the VNC
server by advertising a large screen size, ClientCutText message
length and/or a zero scaling factor parameter.

3. A malicious VNC client can trigger multiple stack-based buffer
overflows by passing a long file and directory names and/or attributes
(FileTime) when using the file transfer message feature.

It should be noted that every described issue represents a post-authentication
bug, therefore the server side conditions can be anonymously leveraged only if
the VNC server is configured to allow unauthenticated sessions.

Affected version:

LibVNCServer <= 0.9.9

Fixed version:

LibVNCServer, N/A

Credit: vulnerability report received from Nicolas Ruff
of Google Security Team <nruff AT google.com>.

CVE: CVE-2014-6051 (1), CVE-2014-6052 (1), CVE-2014-6053 (2),
CVE-2014-6054 (2), CVE-2014-6055 (3)

Timeline:

2014-09-05: vulnerability report received
2014-09-16: contacted affected vendors
2014-09-22: contacted additional affected vendors
2014-09-25: advisory release

References:
(1) https://github.com/newsoft/libvncserver/commit/045a044e8ae79db9244593fbce154cdf6e843273
(2) https://github.com/newsoft/libvncserver/commit/6037a9074d52b1963c97cb28ea1096c7c14cbf28
(2) https://github.com/newsoft/libvncserver/commit/05a9bd41a8ec0a9d580a8f420f41718bdd235446
(3) https://github.com/newsoft/libvncserver/commit/06ccdf016154fde8eccb5355613ba04c59127b2e
(3) https://github.com/newsoft/libvncserver/commit/f528072216dec01cee7ca35d94e171a3b909e677

Permalink:
http://www.ocert.org/advisories/ocert-2014-007.html

--
Andrea Barisani | Founder & Project Coordinator
oCERT | OSS Computer Security Incident Response Team

<lcars@ocert.org> http://www.ocert.org
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close