CVE-2008-0610
published 2008-02-06CVE-2008-0610: Stack-based buffer overflow in the ClientConnection::NegotiateProtocolVersion function in vncviewer/ClientConnection.cpp in vncviewer for UltraVNC 1.0.2 and…
PriorityP263critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
38.76%
98.4th percentile
Stack-based buffer overflow in the ClientConnection::NegotiateProtocolVersion function in vncviewer/ClientConnection.cpp in vncviewer for UltraVNC 1.0.2 and 1.0.4 before 01252008, when in LISTENING mode or when using the DSM plugin, allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a modified size value.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ultravnc | ultravnc | — | — |
| ultravnc | ultravnc | — | — |
| ultravnc | ultravnc | — | — |
| ultravnc | ultravnc | — | — |
| ultravnc | ultravnc | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x31\x36\x0a
bytes↗
\xEB\x06 + 2 NOPs + [0x00421a61].pack('V')- →Detect malicious VNC server responses with minor protocol version 14 or 16 (RFB 003.014 / RFB 003.016) followed by an oversized 32-bit length field exceeding 1024 bytes, targeting the client-side stack buffer overflow. ↗
- →Flag TCP streams on port 5900 where the server banner matches 'RFB 003.016\n' (bytes 52 46 42 20 30 30 33 2e 30 31 36 0a) followed by a 4-byte big-endian length > 0x400 (1024). ↗
- →Monitor for vncviewer.exe processes receiving inbound connections (LISTENING mode) on port 5900 where the server-side banner contains minor version 14 or 16 — the client is the victim in this reverse exploitation scenario. ↗
- →The exploit payload is prepended with 1100 bytes of junk followed by the 4-byte marker \x00\x04\x00\x00; detecting this pattern in VNC traffic on port 5900 can identify exploitation attempts. ↗
- ·The ROP/return address gadget (0x00421a61) is specific to UltraVNC vncviewer.exe version 1.0.2 on Windows XP SP3; different builds or OS versions will require different offsets. ↗
- ·The vulnerability is triggered only when the malicious server advertises RFB minor protocol version 14 or 16; other minor versions do not reach the vulnerable code path. ↗
- ·The Metasploit module payload space is constrained to 500 bytes due to the stack buffer layout; shellcode exceeding this size will not fit reliably. ↗
- ·The exploit uses EXITFUNC=thread to avoid crashing the entire process on exit; defenders should note that the parent vncviewer.exe process may remain running after exploitation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fggx-77cq-hgm9: Multiple stack-based buffer overflows in multiple functions in vncviewer/FileTransfer
ghsa_unreviewed·2022-05-17·CVSS 9.3
CVE-2008-5001 [CRITICAL] CWE-119 GHSA-fggx-77cq-hgm9: Multiple stack-based buffer overflows in multiple functions in vncviewer/FileTransfer
Multiple stack-based buffer overflows in multiple functions in vncviewer/FileTransfer.cpp in vncviewer for UltraVNC 1.0.2 and 1.0.4 before 01252008, when in LISTENING mode or when using the DSM plugin, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified parameters, a different issue than CVE-2008-0610.
GHSA
GHSA-vm88-xwrf-p2q7: Stack-based buffer overflow in the ClientConnection::NegotiateProtocolVersion function in vncviewer/ClientConnection
ghsa_unreviewed·2022-05-01
CVE-2008-0610 [HIGH] CWE-119 GHSA-vm88-xwrf-p2q7: Stack-based buffer overflow in the ClientConnection::NegotiateProtocolVersion function in vncviewer/ClientConnection
Stack-based buffer overflow in the ClientConnection::NegotiateProtocolVersion function in vncviewer/ClientConnection.cpp in vncviewer for UltraVNC 1.0.2 and 1.0.4 before 01252008, when in LISTENING mode or when using the DSM plugin, allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a modified size value.
No detection rules found.
Exploit-DB
UltraVNC 1.0.2 Client - 'vncviewer.exe' Remote Buffer Overflow (Metasploit)
exploitdb·2012-03-26
CVE-2008-0610 UltraVNC 1.0.2 Client - 'vncviewer.exe' Remote Buffer Overflow (Metasploit)
UltraVNC 1.0.2 Client - 'vncviewer.exe' Remote Buffer Overflow (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
class Metasploit3 'UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release.
If a malicious server responds to a client connection indicating a minor
protocol version of 14 or 16, a 32-bit integer is subsequently read from
the TCP stream by the client and directly provided as the trusted size for
further reading from the TCP stream into a 1024-byte character array on
the
Metasploit
UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow
metasploit
UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow
UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow
This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release. If a malicious server responds to a client connection indicating a minor protocol version of 14 or 16, a 32-bit integer is subsequently read from the TCP stream by the client and directly provided as the trusted size for further reading from the TCP stream into a 1024-byte character array on the stack.
No writeups or analysis indexed.
http://forum.ultravnc.info/viewtopic.php?t=11850http://secunia.com/advisories/28747http://sourceforge.net/project/shownotes.php?release_id=571174&group_id=63887http://ultravnc.svn.sourceforge.net/viewvc/ultravnc/UltraVNC%20Project%20Root/UltraVNC/vncviewer/ClientConnection.cpp?sortby=date&r1=169&r2=168&pathrev=169http://www.exploit-db.com/exploits/18666http://www.kb.cert.org/vuls/id/721460http://www.securityfocus.com/bid/27561http://www.securitytracker.com/id?1019293http://www.vupen.com/english/advisories/2008/0392http://forum.ultravnc.info/viewtopic.php?t=11850http://secunia.com/advisories/28747http://sourceforge.net/project/shownotes.php?release_id=571174&group_id=63887http://ultravnc.svn.sourceforge.net/viewvc/ultravnc/UltraVNC%20Project%20Root/UltraVNC/vncviewer/ClientConnection.cpp?sortby=date&r1=169&r2=168&pathrev=169http://www.exploit-db.com/exploits/18666http://www.kb.cert.org/vuls/id/721460http://www.securityfocus.com/bid/27561http://www.securitytracker.com/id?1019293http://www.vupen.com/english/advisories/2008/0392
2008-02-06
Published