CVE-2018-20750

Vulnerability

CVE-2018-20750 is a heap out-of-bounds write vulnerability located in libvncserver/rfbserver.c of LibVNC through version 0.9.12. The bug exists in the function rfbProcessFileTransferReadBuffer(), which is invoked during file transfer operations. The issue arises because the previous fix for CVE-2018-15127 was incomplete; the code failed to properly validate the length parameter, allowing a value larger than INT_MAX to be used in subsequent operations, leading to an out-of-bounds write on the heap [1][2][3].

Exploitation

An attacker can exploit this vulnerability by sending a crafted file transfer request with an overly large length field. The attack requires network access as a VNC client to a LibVNC server that supports file transfers. No authentication is needed if the server allows unauthenticated connections. The attacker triggers the vulnerable code path by initiating a file transfer and setting the length to a value exceeding INT_MAX (0x7FFFFFFF). This causes rfbProcessFileTransferReadBuffer() to allocate insufficient memory and then write data beyond the allocated buffer [2][3].

Impact

Successful exploitation results in a heap out-of-bounds write, which can lead to a denial of service (crash) or potentially arbitrary code execution under the privileges of the VNC server process. The attacker may gain the ability to corrupt heap metadata or overwrite critical data structures, compromising the integrity and availability of the server [1][2].

Mitigation

The fix was implemented in commit 09e8fc02f59f16e2583b34fe1a270c238bd9ffec in the LibVNC repository, which adds a check that length is not greater than INT_MAX in addition to the pre-existing SIZE_MAX check [2]. Users should upgrade to a version containing this commit (later than 0.9.12) or apply the patch manually. As a workaround, disabling file transfer support on VNC servers can mitigate the attack surface until patching is possible [3].