LibVNCServer Null Pointer Dereference Vulnerability in HTTP Proxy Handling

A null pointer dereference vulnerability has been identified in LibVNCServer versions through 0.9.15, within the HTTP proxy handling of the server's HTTP daemon. This vulnerability allows remote attackers to cause a denial of service by sending specially crafted HTTP requests. The issue arises from missing validation of the strchr() return values in the CONNECT and GET proxy handling paths, leading to null pointer dereferences that crash the server. This vulnerability is present when both the HTTP daemon and HTTP proxy features are enabled.

Impact

Exploitation of this vulnerability leads to a segmentation fault, causing the VNC server process to crash. This disruption can be repeated, effectively causing a denial of service.

Reproduction

To reproduce this vulnerability, start the VNC server with the '-httpd' option specifying a directory and the '-enablehttpproxy' option. Once the server is running, send a malformed HTTP CONNECT request that lacks a colon, or a GET request that omits a slash, to the server's HTTP port. The server will crash in response to both types of malformed requests.

Remediation

Users can upgrade to LibVNCServer versions through 0.9.15 to address this vulnerability.