Signature Detail

VNC: Reason Too Long

This protocol anomaly detects a VNC reason string length that exceeds the user-defined maximum. A reason string contains the text that describes the reason a connection between a VNC server and client failed. The default reason string maximum is 512; you can change this setting in the Sensor Settings Rulebase>Protocol Thresholds and Configuration>VNC>Reason string length.

Extended Description

Multiple VNC clients are prone to integer-overflow vulnerabilities because they fail to properly validate data supplied by the VNC server. An attacker can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in denial-of-service conditions. The following are vulnerable to these issues; UltraVNC prior to 1.0.5.4 TightVNC prior to 1.3.10 Other VNC applications may also be affected.

Affected Products

• Nortel_networks self-service_media_processing_server
• Nortel_networks self-service_mps_1000
• Nortel_networks self-service_mps_500
• Nortel_networks self-service_peri_application
• Nortel_networks self-service_speech_server
• Tightvnc tightvnc 1.2.0 .0
• Tightvnc tightvnc 1.2.1
• Tightvnc tightvnc 1.2.2
• Tightvnc tightvnc 1.2.3
• Tightvnc tightvnc 1.2.4
• Tightvnc tightvnc 1.2.5
• Tightvnc tightvnc 1.2.6
• Tightvnc tightvnc 1.2.7
• Tightvnc tightvnc 1.2.9
• Tightvnc tightvnc 1.3.9
• Ultravnc ultravnc 1.0.2
• Ultravnc ultravnc 104 RC6
• Ultravnc ultravnc 104 RC7
• Ultravnc ultravnc 104 RC8
• Ultravnc ultravnc 1.0.8.2

References

• BugTraq: 33568
• CVE: CVE-2009-0388
• URL: http://www.realvnc.com/docs/rfbproto.pdf
• URL: http://www.csd.uwo.ca/staff/magi/doc/vnc/rfbproto.pdf
• URL: http://www.coresecurity.com/content/vnc-integer-overflows