In September 2019, security researchers discovered a serious heap buffer overflow bug in LibVNCServer, a widely-used open-source Virtual Network Computing (VNC) library. The vulnerability, tracked as CVE-2019-15690, affects LibVNCServer version .9.12 and earlier, specifically within the HandleCursorShape() function in libvncclient/cursor.c.

What makes this vulnerability particularly dangerous is that it allows a remote attacker to run their own arbitrary code on the target machine — just by sending a crafted cursor shape packet to a VNC client using the vulnerable library.

This article explains how the vulnerability works, provides a code walkthrough, links to original advisories, and discusses real-world exploitation.

What Is LibVNCServer?

LibVNCServer is a C library that simplifies creating VNC servers and clients, used in remote desktop tools, IoT devices, and embedded systems. Any software using versions prior to .9.13 is potentially at risk if it handles cursor shapes from untrusted servers.

Vulnerability Details: HandleCursorShape() Heap Overflow

The vulnerable function is HandleCursorShape() in libvncclient/cursor.c. This function is responsible for processing “cursor shape” frames (messages) that the VNC server sends to the client, so the client can display the correct mouse cursor image.

The key flaw: It allocates memory for the cursor without correctly checking the size fields provided by the server. A remote attacker can send a packet with huge or inconsistent width/height values, causing memory copying operations to overwrite heap memory.

Below is a simplified version (based on the code before patch) that shows the core problem

/* cursor.c: HandleCursorShape */
int HandleCursorShape(rfbClient* client, int xhot, int yhot, int width, int height) {
    int bytesPerPixel = (client->format.bitsPerPixel + 7) / 8;
    int bytesInCursor = width * height * bytesPerPixel;
    char *cursorData;

    cursorData = (char *)malloc(bytesInCursor);
    if (!cursorData) {
        // handle erro
        return -1;
    }
    /* Read cursor pixel data from the server */
    memcpy(cursorData, serverCursorBuffer, bytesInCursor);  // Dangerous!

    /* ... */
}

width and height are values sent by the *attacker-controlled* server.

- If the server sends huge values, bytesInCursor becomes large, and malloc allocates (or fails to allocate) a huge buffer.
- However, the input buffer (serverCursorBuffer) may be smaller, so the memcpy() can read or write out-of-bounds memory — causing a heap buffer overflow.

Client overflows the heap while copying data in HandleCursorShape().

4. Attacker achieves remote code execution, depending on heap state and further exploitation steps (e.g., heap spraying, ROP).

Here’s a conceptual outline (Python pseudo-code)

import struct
import socket

# Start a simple VNC server that delivers a malicious cursor shape
S = socket.socket()
S.bind(('...', 590))
S.listen(1)
conn, addr = S.accept()

# ... (VNC handshake, not shown)

# Craft a framebuffer update with a fake cursor shape
width, height = x10000, x10  # Huge width
bytesPerPixel = 4
cursor_pixels = b"A" * (width * height * bytesPerPixel)  # Fill with data

msg = struct.pack('<HH', width, height) + cursor_pixels

# Send the malicious message
conn.sendall(msg)

Note: This is for educational testing only! Never target unauthorized systems.

- GitHub LibVNCServer Security Advisories
- CVE-2019-15690 on NIST NVD
- Upstream Patch (commit)

How did they fix it?

The patch added strict validation of the width and height fields, ensuring they do not exceed expected maximum values and that all memory uses are safe.

If you use LibVNCServer:

Conclusion

*CVE-2019-15690* shows how even subtle mistakes (like forgetting to check a math calculation) can turn into critical vulnerabilities, especially in software that handles untrusted input over the network. If you are developing or maintaining software that uses LibVNCServer/libvncclient, double-check your dependencies — and always validate input lengths, especially when memory allocation is involved.

Additional Resources

- Official Release Notes
- Common Exploitation Techniques for Heap Overflow

If you found this post helpful, share it with your team and make sure your remote desktop tools are up to date — before the attackers get there first!

Timeline

Published on: 01/24/2025 18:15:27 UTC