Full Report
UltraVNC revision 1206 has multiple off-by-one vulnerabilities in VNC client code connected with improper usage of ClientConnection::ReadString function, which can potentially result code execution. This attack appear to be exploitable via network connectivity. These vulnerabilities have been fixed in revision 1207.
Analysis Summary
# Vulnerability: UltraVNC Client off-by-one Code Execution
## CVE Details
- **CVE ID:** CVE-2019-8268
- **CVSS Score:** 8.8 (High) - *Note: Based on the provided vector string AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H*
- **CWE:** CWE-193 (Off-by-one Error)
## Affected Systems
- **Products:** UltraVNC (VNC Client)
- **Versions:** All versions prior to 1.2.2.4 (specifically cited in revision 1206)
- **Configurations:** Systems running the UltraVNC client that connect to remote VNC servers via network connectivity.
## Vulnerability Description
Multiple off-by-one vulnerabilities exist within the UltraVNC client-side code. The flaws are rooted in the improper usage of the `ClientConnection::ReadString` function. When the client receives a specifically crafted string from a VNC server, the function fails to account for the buffer boundary correctly. This memory corruption can allow the application to overshoot its allocated buffer by one byte, potentially leading to memory corruption and arbitrary code execution in the context of the user running the client.
## Exploitation
- **Status:** Proof of Concept (PoC) available
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **User Interaction:** Required (User must connect the vulnerable client to a malicious/compromised VNC server).
## Impact
- **Confidentiality:** High (Potential for full data access)
- **Integrity:** High (Potential for unauthorized modification/code execution)
- **Availability:** High (Potential for application crash or system takeover)
## Remediation
### Patches
- **UltraVNC Revision 1207 / Version 1.2.2.4:** The vendor has released these versions to address the improper string handling. Users should update to version 1.2.2.4 or newer.
### Workarounds
- **Strict Server Connection Policy:** Avoid connecting the UltraVNC client to untrusted or unknown VNC servers.
- **Network Segmentation:** Use a firewall or VPN to ensure clients only connect to authorized internal servers.
## Detection
- **Indicators of compromise:** Unexpected crashes of the `vncviewer.exe` process when connecting to remote hosts.
- **Detection methods and tools:**
- Security software or EDR (Endpoint Detection and Response) may detect unusual memory patterns or shellcode execution originating from the UltraVNC process.
- Software inventory tools should be used to scan for instances of UltraVNC older than 1.2.2.4.
## References
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2019/03/01/klcert-19-015-ultravnc-off-by-one-error/
- **NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2019-8268
- **CVSS Calculator:** hxxps[://]www[.]first[.]org/cvss/calculator/3.1#AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C