cbcvebase.
CVE-2008-0610
published 2008-02-06

CVE-2008-0610: Stack-based buffer overflow in the ClientConnection::NegotiateProtocolVersion function in vncviewer/ClientConnection.cpp in vncviewer for UltraVNC 1.0.2 and…

PriorityP263critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
38.76%
98.4th percentile
Stack-based buffer overflow in the ClientConnection::NegotiateProtocolVersion function in vncviewer/ClientConnection.cpp in vncviewer for UltraVNC 1.0.2 and 1.0.4 before 01252008, when in LISTENING mode or when using the DSM plugin, allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a modified size value.

Affected

5 ranges
VendorProductVersion rangeFixed in
ultravncultravnc
ultravncultravnc
ultravncultravnc
ultravncultravnc
ultravncultravnc

Detection & IOCsextracted from sources · hover to see the quote

filenamevncviewer.exe
port5900
registry0x00421a61
bytes
\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x31\x36\x0a
bytes
\xEB\x06 + 2 NOPs + [0x00421a61].pack('V')
  • Detect malicious VNC server responses with minor protocol version 14 or 16 (RFB 003.014 / RFB 003.016) followed by an oversized 32-bit length field exceeding 1024 bytes, targeting the client-side stack buffer overflow.
  • Flag TCP streams on port 5900 where the server banner matches 'RFB 003.016\n' (bytes 52 46 42 20 30 30 33 2e 30 31 36 0a) followed by a 4-byte big-endian length > 0x400 (1024).
  • Monitor for vncviewer.exe processes receiving inbound connections (LISTENING mode) on port 5900 where the server-side banner contains minor version 14 or 16 — the client is the victim in this reverse exploitation scenario.
  • The exploit payload is prepended with 1100 bytes of junk followed by the 4-byte marker \x00\x04\x00\x00; detecting this pattern in VNC traffic on port 5900 can identify exploitation attempts.
  • ·The ROP/return address gadget (0x00421a61) is specific to UltraVNC vncviewer.exe version 1.0.2 on Windows XP SP3; different builds or OS versions will require different offsets.
  • ·The vulnerability is triggered only when the malicious server advertises RFB minor protocol version 14 or 16; other minor versions do not reach the vulnerable code path.
  • ·The Metasploit module payload space is constrained to 500 bytes due to the stack buffer layout; shellcode exceeding this size will not fit reliably.
  • ·The exploit uses EXITFUNC=thread to avoid crashing the entire process on exit; defenders should note that the parent vncviewer.exe process may remain running after exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.