Full Report
UltraVNC before 1.2.2.4 has stack-based buffer overflow vulnerability in VNC client code inside ShowConnInfo routine, which leads to a denial-of-service (DoS) condition of VNC client.
Analysis Summary
# Vulnerability: UltraVNC Client ShowConnInfo Stack-based Buffer Overflow
## CVE Details
- **CVE ID:** CVE-2019-8263
- **CVSS Score:** 7.5 (High) / *Note: While the provided text lists 0.0 in the header, the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H calculates to 6.5-7.5 depending on versioning; Kaspersky identifies this as a High severity DoS risk.*
- **CWE:** CWE-121 (Stack-based Buffer Overflow)
## Affected Systems
- **Products:** UltraVNC (VNC Client/Viewer)
- **Versions:** All versions prior to 1.2.2.4
- **Configurations:** Systems where a user initiates a connection to a remote VNC server.
## Vulnerability Description
A stack-based buffer overflow vulnerability exists within the VNC client code of UltraVNC, specifically inside the `ShowConnInfo` routine. This routine is responsible for processing and displaying connection information. Due to insufficient bounds checking, a malicious or compromised VNC server can send specially crafted data that exceeds the allocated buffer size on the stack, leading to memory corruption.
## Exploitation
- **Status:** PoC available
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **Required Interaction:** User interaction is required; the victim must attempt to connect to the attacker-controlled VNC server.
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Results in a Denial-of-Service condition through client application crashes).
## Remediation
### Patches
- **UltraVNC 1.2.2.4:** This version (released February 2019) contains the fix for the buffer overflow. Users should update to version 1.2.2.4 or any subsequent newer release.
### Workarounds
- **Trusted Connections Only:** Restrict the use of the VNC client to known, trusted internal servers only.
- **Employee Awareness:** Advise users against connecting to unknown or untrusted VNC server addresses.
## Detection
- **Indicators of Compromise:** Unusual application crashes of the UltraVNC Viewer (`vncviewer.exe`) immediately upon connection or when viewing "Connection Info."
- **Detection Methods:**
- Use Vulnerability Scanners (e.g., Nessus, OpenVAS) to identify installed versions of UltraVNC older than 1.2.2.4.
- Monitor network traffic for connections to untrusted external IP addresses on standard VNC ports (typically 5900-5906).
## References
- **Vendor Advisory:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2019/03/01/klcert-19-010-ultravnc-stack-based-buffer-overflow/
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2019-8263
- **UltraVNC Downloads:** hxxps[://]uvnc[.]com/downloads/ultravnc[.]html