Title: RealVNC Clipboard Update Integer Overflow Vulnerability
Severity: MODERATE
Description:
RealVNC (Virtual Network Computing) allows users to access remote computers for administration purposes.
An integer-overflow vulnerability exists in RealVNC. This issue is related to clipboard updates that occur during an authenticated session. The attack may be initiated by a malicious server or client.
The specific vulnerability affects the 'readClientCutText()' function in 'rfb/SmsgReader.cxx' and the 'readServerCutText()' function in 'rfb/CMsgReader.cxx'. These functions are responsible for managing clipboard updates in client and server connections, respectively. If an integer length of -1 is passed during a clipboard update, this will cause a 0-byte heap memory allocation on the application at the other side of the VNC session. This will in turn cause a 0 to be written to be memory location immediately before the 0-byte buffer, with the end result being a large 'memcpy()' operation to the 0-byte buffer.
The researcher who discovered this issue has stated that the vulnerability will result in a denial of service.
Affected Products:
- RealVNC RealVNC 4.1.2
- RealVNC RealVNC Free Edition 4.1.2
References:
- Niall FitzGibbon <fitzgibbon@blueyonder.co.uk>: RealVNC 4.1.2 minor heap corruption/DoS vulnerability (authentication required)
- RealVNC: RealVNC Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
