#2014-007 libvncserver multiple issues Description: Virtual Network Computing (VNC) is a graphical sharing system based on the Remote Frame Buffer (RFB) protocol. The LibVNCServer project, an open source library for implementing VNC compliant communication, suffers from a number of bugs that can be potentially exploited with security impact. Various implementation issues resulting in remote code execution and/or DoS conditions on both the VNC server and client side have been discovered. 1. A malicious VNC server can trigger incorrect memory management handling by advertising a large screen size parameter to the VNC client. This would result in multiple memory corruptions and could allow remote code execution on the VNC client. 2. A malicious VNC client can trigger multiple DoS conditions on the VNC server by advertising a large screen size, ClientCutText message length and/or a zero scaling factor parameter. 3. A malicious VNC client can trigger multiple stack-based buffer overflows by passing a long file and directory names and/or attributes (FileTime) when using the file transfer message feature. It should be noted that every described issue represents a post-authentication bug, therefore the server side conditions can be anonymously leveraged only if the VNC server is configured to allow unauthenticated sessions. Affected version: LibVNCServer <= 0.9.9 Fixed version: LibVNCServer, N/A Credit: vulnerability report received from Nicolas Ruff of Google Security Team <nruff AT google.com>. CVE: CVE-2014-6051 (1), CVE-2014-6052 (1), CVE-2014-6053 (2), CVE-2014-6054 (2), CVE-2014-6055 (3) Timeline: 2014-09-05: vulnerability report received 2014-09-16: contacted affected vendors 2014-09-22: contacted additional affected vendors 2014-09-25: advisory release References: (1) https://github.com/newsoft/libvncserver/commit/045a044e8ae79db9244593fbce154cdf6e843273 (2) https://github.com/newsoft/libvncserver/commit/6037a9074d52b1963c97cb28ea1096c7c14cbf28 (2) https://github.com/newsoft/libvncserver/commit/05a9bd41a8ec0a9d580a8f420f41718bdd235446 (3) https://github.com/newsoft/libvncserver/commit/06ccdf016154fde8eccb5355613ba04c59127b2e (3) https://github.com/newsoft/libvncserver/commit/f528072216dec01cee7ca35d94e171a3b909e677 Permalink: http://www.ocert.org/advisories/ocert-2014-007.html -- Andrea Barisani | Founder & Project Coordinator oCERT | OSS Computer Security Incident Response Team <lcars@xxxxxxxxx> http://www.ocert.org 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"