The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of RealVNC

computer vulnerability CVE-2013-6886

RealVNC: privilege escalation via vncserver-x11 et Xvnc

Synthesis of the vulnerability

A local attacker can use vncserver-x11 or Xvnc of RealVNC, in order to escalate his privileges.
Impacted products: RealVNC.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user account.
Creation date: 31/12/2013.
Identifiers: BID-64560, CVE-2013-6886, VIGILANCE-VUL-14005.

Description of the vulnerability

The RealVNC product installs the following programs as suid root:
 - vncserver-x11 (User Mode)
 - Xvnc (Virtual Mode)

However, an attacker can inject an additional parameter to these programs.

A local attacker can therefore use vncserver-x11 or Xvnc of RealVNC, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 10433

RealVNC: reading logs

Synthesis of the vulnerability

A local attacker can read log files created by RealVNC.
Impacted products: RealVNC.
Severity: 2/4.
Consequences: data reading.
Provenance: user account.
Creation date: 08/03/2011.
Identifiers: VIGILANCE-VUL-10433.

Description of the vulnerability

The Log and LogFile parameters of the Service Mode of VNC Server indicate where to store log files.

However, these logs are stored in an insecure directory by default.

A local attacker can therefore read log files created by RealVNC.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 9629

RealVNC: denial of service via ClientCutText

Synthesis of the vulnerability

An authenticated attacker can send the ClientCutText message to RealVNC, in order to stop it.
Impacted products: RealVNC.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: user account.
Creation date: 05/05/2010.
Identifiers: BID-39895, VIGILANCE-VUL-9629.

Description of the vulnerability

The RealVNC server implements several messages for interface manipulation:
 - ClientCutText : cut a text area
 - PointerEvent : a mouse event
 - etc.

However, the winvnc4.exe process does not check if the size indicated in the ClientCutText message is too long.

An authenticated attacker can therefore send the ClientCutText message to RealVNC, in order to stop it.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 8903

VNC: privilege elevation

Synthesis of the vulnerability

A local attacker can elevate his privileges via a vulnerability of VNC Server Service-Mode.
Impacted products: RealVNC.
Severity: 2/4.
Consequences: privileged access/rights.
Provenance: user shell.
Creation date: 30/07/2009.
Identifiers: VIGILANCE-VUL-8903.

Description of the vulnerability

The VNC Enterprise Edition and VNC Personal Edition products can be started in:
 - User-Mode : direct execution
 - Service-Mode : execution as a Windows/Unix service

When Service-Mode is used, an attacker with access to the console of the host system can elevate his privileges.

 This vulnerability may be used by a local attacker to use the service in order to become administrator.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2008-4770

RealVNC: vulnerability of VNC Viewer

Synthesis of the vulnerability

An attacker can create a malicious VNC server and invite the victim to connect to it with VNC Viewer in order to execute code on the computer.
Impacted products: Debian, Fedora, OpenSolaris, Solaris, RealVNC, RHEL.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet server.
Creation date: 20/10/2008.
Identifiers: 248526, 6777095, BID-31832, CERTA-2002-AVI-229, CERTA-2009-AVI-035, CVE-2008-4770, DSA-1716-1, FEDORA-2009-0991, FEDORA-2009-1001, RHSA-2009:0261-01, VIGILANCE-VUL-8186.

Description of the vulnerability

VNC uses the RFB protocol (Remote FrameBuffer) to access to the remote host.

The RealVNC product is composed of two modules:
 - VNC Server: to be installed on the computer to administer
 - VNS Viewer: to be installed on the client

The CMsgReader::readRect() function of the common/rfb/CMsgReader.cxx file, used in VNC Viewer, does not correctly check received messages.

An attacker can therefore create a malicious VNC server and invite the victim to connect to it with VNC Viewer in order to execute code on the computer.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 6108

RealVNC: integer overflow of readClientCutText and readServerCutText

Synthesis of the vulnerability

An authenticated attacker can generate an integer overflow on remote computer, which leads to a denial of service.
Impacted products: RealVNC.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: user account.
Creation date: 21/08/2006.
Identifiers: BID-19599, VIGILANCE-VUL-6108.

Description of the vulnerability

The SMsgReader::readClientCutText() and CMsgReader::readServerCutText() methods read data from clipboard sent by remote computer via CMsgWriter::clientCutText() and SMsgWriter::writeServerCutText().

However, these methods do not correctly check size of data in the message. An attacker can use a negative value to generate an integer overflow. This overflow seems to only lead to a denial of service.

An authenticated attacker can thus for example use a modified client to send server a message in order to stop it.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2006-2369

RealVNC: bypassing authentication

Synthesis of the vulnerability

An attacker can use a modified VMC client in order to connect to RealVNC without authenticating.
Impacted products: Fedora, RealVNC.
Severity: 4/4.
Consequences: administrator access/rights.
Provenance: intranet client.
Creation date: 15/05/2006.
Identifiers: BID-17978, CVE-2006-2369, FEDORA-2006-557, FEDORA-2006-558, VIGILANCE-VUL-5837, VU#117929.

Description of the vulnerability

The authentication phase of a client to a remote RealVNC administration server is :
 - client connects
 - server sends its version banner
 - client sends its version banner
 - server indicates list of supported authentication type
 - client chooses the number of authentication type
 - chosen authentication is done...

However, server does not check if authentication type chosen by client during step 5 was proposed in step 4. An attacker can therefore ask for authentication type 1, which corresponds to a null authentication. Server then accepts this authentication type and gives access to client.

This vulnerability therefore permits an attacker to access system without authentication.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 4799

VNC : attaque brute force

Synthesis of the vulnerability

Le produit VNC n'est pas correctement protégé contre les attaques de type brute force.
Impacted products: RealVNC.
Severity: 1/4.
Consequences: user access/rights.
Provenance: intranet client.
Creation date: 04/03/2005.
Identifiers: V6-REALVNCBRUTEFORCE, VIGILANCE-VUL-4799.

Description of the vulnerability

Les attaques de type brute force consistent à tester successivement des paires de login et mot de passe afin d'accéder au système. Dans certains cas, des messages d'erreurs indiquent au client si l'un des deux éléments est correct. Dans d'autres cas, le nombre d'authentifications incorrectes n'est pas limité.

La nouvelle version de VNC améliore la gestion des attaques de type brute force. On peut donc supposer que les anciennes versions étaient sensibles à une telle attaque, mais ses détails ne sont pas connus.

Cette vulnérabilité pourrait permettre à un attaquant d'accéder au système.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2004-1750

Déni de service de RealVNC

Synthesis of the vulnerability

Un attaquant peut créer plusieurs connexions simultanées afin de stopper RealVNC.
Impacted products: RealVNC.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 09/11/2004.
Identifiers: BID-11048, CVE-2004-1750, V6-REALVNCSIMULCONNECTDOS, VIGILANCE-VUL-4506.

Description of the vulnerability

RealVNC écoute sur les ports 5800/tcp et 5900/tcp.

Lorsque RealVNC reçoit une centaine de connexions sur ces ports, il se stoppe. La cause exacte de la vulnérabilité n'est pas connue.

Cette vulnérabilité permet ainsi à un attaquant du réseau de mener un déni de service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.