Full Report
UltraVNC before 1.2.2.4 has a stack buffer overflow vulnerability in VNC server code inside file transfer request handler, which can result in denial-of-service (DoS) condition.
Analysis Summary
# Vulnerability: UltraVNC Server Stack-based Buffer Overflow in File Transfer Handler
## CVE Details
- **CVE ID:** CVE-2019-8276
- **CVSS Score:** 6.5 (Medium) | *Note: Base score derived from vector [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H]*
- **CWE:** CWE-121 (Stack-based Buffer Overflow)
## Affected Systems
- **Products:** UltraVNC (Remote Administration Software)
- **Versions:** All versions prior to 1.2.2.4
- **Configurations:** Systems running the UltraVNC Server component with network access enabled.
## Vulnerability Description
A stack-based buffer overflow vulnerability exists within the UltraVNC server-side code. The flaw is located specifically within the handler responsible for processing client file transfer requests. By sending a specially crafted file transfer request, an attacker can overflow a buffer on the stack. In the documented context, this memory corruption leads to an application crash, resulting in a denial-of-service (DoS) condition for the VNC server service.
## Exploitation
- **Status:** Proof of Concept (PoC) available
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **Requirements:** Low privileges (authenticated user session). The CVE vector indicates the attacker requires network access and potentially remains successful by inducing a connection between the user and an attacker-controlled server.
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (The primary impact is the interruption of the VNC service through a crash).
## Remediation
### Patches
- **UltraVNC 1.2.2.4:** Users should update to version 1.2.2.4 or later to resolve this vulnerability.
### Workarounds
- **Disable File Transfer:** If updating is not immediately possible, disabling the file transfer functionality in the UltraVNC server settings may mitigate the specific attack vector.
- **Access Control:** Restrict VNC access to trusted IP addresses using firewalls or VPNs to limit the exposure of the server to potential attackers.
## Detection
- **Indicators of Compromise:** Unexpected crashes of the `WinVNC.exe` process, particularly following incoming file transfer requests.
- **Detection methods and tools:**
- Monitor server logs for abnormal connection patterns or abrupt service terminations.
- Use Vulnerability Scanners (such as Nessus or OpenVAS) to identify outdated UltraVNC installations.
- Network IDS/IPS signatures looking for malformed VNC file transfer initialization packets.
## References
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2019/03/01/klcert-19-023-ultravnc-stack-based-buffer-overflow/
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2019-8276
- **CVSS Calculator:** hxxps[://]www[.]first[.]org/cvss/calculator/3.1#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C