Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 25 Sep 2014 13:59:51 +0200
From: Andrea Barisani <>
Subject: [oCERT-2014-007] libvncserver multiple issues

#2014-007 libvncserver multiple issues


Virtual Network Computing (VNC) is a graphical sharing system based on the
Remote Frame Buffer (RFB) protocol.

The LibVNCServer project, an open source library for implementing VNC
compliant communication, suffers from a number of bugs that can be potentially
exploited with security impact.

Various implementation issues resulting in remote code execution and/or DoS
conditions on both the VNC server and client side have been discovered.

 1. A malicious VNC server can trigger incorrect memory management
    handling by advertising a large screen size parameter to the VNC
    client. This would result in multiple memory corruptions and could
    allow remote code execution on the VNC client.

 2. A malicious VNC client can trigger multiple DoS conditions on the VNC
    server by advertising a large screen size, ClientCutText message
    length and/or a zero scaling factor parameter.

 3. A malicious VNC client can trigger multiple stack-based buffer
    overflows by passing a long file and directory names and/or attributes
    (FileTime) when using the file transfer message feature.

It should be noted that every described issue represents a post-authentication
bug, therefore the server side conditions can be anonymously leveraged only if
the VNC server is configured to allow unauthenticated sessions.

Affected version:

LibVNCServer <= 0.9.9

Fixed version:

LibVNCServer, N/A

Credit: vulnerability report received from Nicolas Ruff
        of Google Security Team <nruff AT>.

CVE: CVE-2014-6051 (1), CVE-2014-6052 (1), CVE-2014-6053 (2),
     CVE-2014-6054 (2), CVE-2014-6055 (3)


2014-09-05: vulnerability report received
2014-09-16: contacted affected vendors
2014-09-22: contacted additional affected vendors
2014-09-25: advisory release



Andrea Barisani |                Founder & Project Coordinator
          oCERT | OSS Computer Security Incident Response Team

 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ