Full Report
UltraVNC before 1.2.2.4 has a multiple off-by-one vulnerabilities in VNC server code, which can potentially result in code execution.
Analysis Summary
# Vulnerability: UltraVNC Server Off-by-one Code Execution
## CVE Details
- **CVE ID:** CVE-2019-8272
- **CVSS Score:** 9.9 (Critical) - *Note: Based on the provided vector CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H*
- **CWE:** CWE-193 (Off-by-one Error)
## Affected Systems
- **Products:** UltraVNC
- **Versions:** All versions prior to 1.2.2.4
- **Configurations:** Systems running the VNC server component where a user can be induced to connect to a malicious server or where an authenticated session is established.
## Vulnerability Description
Multiple off-by-one vulnerabilities exist within the UltraVNC server code. An off-by-one error occurs when an iterative loop or memory write operation exceeds the boundary of an allocated buffer by exactly one byte. In the context of the VNC server code, these flaws can be leveraged to corrupt memory, potentially leading to a buffer overflow. This memory corruption can be weaponized to achieve arbitrary remote code execution (RCE) with the privileges of the VNC server process.
## Exploitation
- **Status:** Proof of Concept (PoC) available
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **Prerequisites:** Successful exploitation requires a connection between the vulnerable client/server and an attacker-controlled entity.
## Impact
- **Confidentiality:** High (Full access to data handled by the process)
- **Integrity:** High (Ability to modify system files or memory)
- **Availability:** High (Can lead to service crashes or total system takeover)
## Remediation
### Patches
- **UltraVNC 1.2.2.4:** Users should upgrade to version 1.2.2.4 or newer immediately to resolve these vulnerabilities.
### Workarounds
- Ensure the VNC server is not exposed directly to the internet.
- Restrict access to VNC ports (default 5900/5901) to trusted IP addresses only via firewall.
- Use a VPN for remote access instead of exposing the VNC protocol.
## Detection
- **Indicators of Compromise:** Unexpected crashes of `WinVNC.exe`, unusual outbound network traffic from the VNC server process, or unauthorized administrative changes.
- **Detection methods and tools:**
- Network Intrusion Detection Systems (NIDS) can be configured to monitor for malformed VNC protocol handshakes.
- Vulnerability scanners (e.g., Nessus, OpenVAS) can identify outdated versions of UltraVNC.
## References
- **Vendor Advisory:** hxxps://ultravnc[.]net/
- **NVD Entry:** hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2019-8272
- **Kaspersky ICS CERT:** hxxps://ics-cert[.]kaspersky[.]com/advisories/2019/03/01/klcert-19-019-ultravnc-off-by-one-error/
- **CVSS Calculator:** hxxps://www[.]first[.]org/cvss/calculator/3.1#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C