CVE-2018-21247

Vulnerability

An information disclosure vulnerability exists in LibVNCServer versions prior to 0.9.13. The issue resides in the ConnectToRFBRepeater function in libvncclient/rfbproto.c and also appears in the example file examples/repeater.c [1][4]. The function uses snprintf to fill a stack buffer tmphost, then sends the entire buffer sizeof(tmphost) via WriteToRFBServer, including uninitialized memory beyond the formatted string [4]. This exposes heap or stack contents from the client application.

Exploitation

An attacker can exploit this by controlling a repeater server that triggers the vulnerable code path in a connecting VNC client. No authentication is required; the attacker only needs to act as the repeater endpoint. The client's ConnectToRFBRepeater call will send the oversized buffer, leaking uninitialized memory to the network [4]. The leaked data may contain sensitive information from the client process's memory.

Impact

Successful exploitation leads to information disclosure of uninitialized memory contents from the VNC client application. This could expose credentials, session keys, or other secrets present in the process address space at the time of the connection. The vulnerability does not directly allow code execution or privilege escalation, but the leaked data can be used for further attacks.

Mitigation

The fix was released in LibVNCServer version 0.9.13 [1]. Users should upgrade to this version or later. No known workaround is available for earlier versions. The vulnerability was reported by Pavel Cheremushkin of Kaspersky Lab ICS CERT [4].