LibVNCServer UltraZip Encoding Heap Out-of-Bounds Read Vulnerability

A heap out-of-bounds read vulnerability has been identified in LibVNCServer versions through 0.9.15, within the UltraZip encoding handler. This vulnerability allows a malicious VNC server to cause information disclosure or application crashes. The issue arises from improper bounds checking in the HandleUltraZipBPP() function, where manipulated subrectangle header counts can be used to read beyond the allocated heap buffer.

Impact

Exploitation of this vulnerability leads to heap out-of-bounds reads, allowing a malicious VNC server to cause a LibVNCClient-based viewer to read excessive amounts of heap memory, potentially disclosing sensitive information from adjacent allocations or causing a crash by accessing unmapped memory.

Reproduction

To reproduce this vulnerability, set up a malicious VNC server that advertises RFB protocol version 3.8 and offers no authentication. After a LibVNCClient-based viewer connects, send a FramebufferUpdate message with a rectangle that has an encoding of 0xFFFF0009 (UltraZip) and a manipulated subrectangle count. Follow this with an LZO-compressed payload that the client will decompress, triggering the out-of-bounds read.

Remediation

Users can update to LibVNCServer versions after 0.9.15 to address this vulnerability.