CVE-2018-20748

Vulnerability

LibVNC versions prior to 0.9.12 contain multiple heap out-of-bounds write vulnerabilities libvncclient/rfbproto.c. The issues stem from incomplete fixes for CVE-2018-20019, where functions like ReadReason() and InitialiseRFBConnection() fail to properly validate lengths received from a malicious VNC server. Specifically, server-sent reason strings and desktop name lengths were not bounded, allowing arbitrary large values to be used in memory allocation and subsequent writes, leading to heap corruption [1][2][3][4].

Exploitation

An attacker operating a malicious VNC server can exploit these vulnerabilities by sending oversized reason strings or desktop name lengths during the initial handshake or authentication phase. The vulnerable code does not verify the length against a safe maximum before using it in a memory allocation and then reading server-provided data into that buffer. No client authentication or special privileges are required; the attacker only needs to convince the client to connect to the malicious server [1][2][3][4].

Impact

Successful exploitation leads to heap-based out-of-bounds writes, potentially causing memory corruption. This can result in a denial of service (crash) or, in some cases, arbitrary code execution in the context of the VNC client application. The attacker does not need to be authenticated, and the vulnerability is accessible remotely over the network [1][2][3][4].

Mitigation

The issue is fixed in LibVNC version 0.9.12, released in early 2019. The fix introduces a size limit of 1 MB for reason strings and desktop name lengths, and properly validates the received lengths before allocation [1][3][4]. Users should upgrade to LibVNC 0.9.12 or later. For installations that cannot be upgraded, network-level protections, such as restricting VNC connections to trusted servers, can reduce risk, but no direct workaround is available [2].