“At the time of calling the function, the variable should be equal to the length of the m_zlibbuf buffer…since the variable new_len was not initialized, it contained a large text section address value. “The uninitialized variable new_len is passed to the lzo1x_decompress function,” according to the research. ![]() Meanwhile, the CVE-2019-8262 critical vulnerability (with a CVSS score of 9.8 out of 10) was identified in the handler of data encoded using the UltraVNC encoding function that could cause information disclosure. With the right parameters, a remote attacker would be able to write a null byte to the _NT_HEAP structure, which will be located directly before a huge chunk.” “If an integer overflow does not occur and the system has sufficient memory, a large buffer will be allocated, with a new heap allocated for it. “If an integer overflow occurs when allocating m_desktopName and the buffer is allocated on the regular heap of the process, this will make it possible to write the null byte to the previous chunk,” according to the research. Researchers also “wouldn’t rule out that experts in exploiting the Windows userland heap could turn this vulnerability into an RCE if they wanted to.” This is also critical, with a CVSS rating of 9.8 out of 10, and can be exploited to cause a denial-of-service state. “However, the compiler could make a mistake and fail to check for the presence of a buffer in some of the structures on the stack or in switch-case statements.”Īlso, a critical integer-overflow vulnerability ( CVE-2018-15361) exists in UltraVNC client-side code. “Some compilers perform…optimizations by removing stack canary checks from the functions that don’t have explicitly allocated arrays,” according to the research. ![]() However, to exploit the bug, authorization on the server is required. The issue ( CVE-2019-15683) exists because the stack frame is not protected with a stack canary. Across all 37 bugs, there are two main attack vectors, the firm said: “An attacker is on the same network with the VNC server and attacks it to gain the ability to execute code on the server with the server’s privileges a user connects to an attacker’s ‘server’ using a VNC client and the attacker exploits vulnerabilities in the client to attack the user and execute code on the user’s machine.”Ī significant number of the problems detailed in the research were found and reported last year however, each of the projects examined also had newly discovered bugs.įor instance, a newly found critical (9.8 out of 10 on the CVSS v.3 severity rating scale) database stack buffer overflow vulnerability in the TurboVNC server code could result in RCE. Kasperksy found vulnerabilities not only in the client, but also on the server-side of the system many of the latter however can only be exploited after password authentication. “The prevalence of such systems in general, and particularly ones that are vulnerable, is a significant issue for the industrial sector as potential damages can bring significant losses through disruption of complex production processes,” Kaspersky researchers wrote in an analysis of the bugs for ICS CERT, released Friday. Approximately 32 percent of industrial network computers having some form of remote administration tools, including VNC. ![]() The research looked into four popular VNC-based systems, LibVNC, UltraVNC, TightVNC1.X and TurboVNC, which are actively used in automated industrial facilities to enable remote control of systems, according to the firm. According to researchers at Kaspersky, they potentially affect 600,000 web-accessible servers in systems that use the code. The open-source Virtual Network Computing (VNC) project, often found in industrial environments, is plagued with 37 different memory-corruption vulnerabilities – many of which are critical in severity and some of which could result in remote code execution (RCE).
0 Comments
Leave a Reply. |