CVE-2022-23967 In TightVNC 1.3.10, there is an integer signedness error and resultant heap-based buffer overflow in InitializeRFBConnection in rfbproto.c (for the vncviewer component). There is no check on the size given to malloc, e.g., -1 is accepted.

For example, to run a remote shell:

$ sudo nc -lvj 4444 | python -m shellcode -- data 0xff --

To run arbitrary code:

$ sudo nc -lvj 4444 | python -m code -- data 0xff --

In 1.3.10, TightVNC does not check for the size of the data when creating an rfb connection. This can lead to heap-based buffer overflows and remote code execution.

On a high level, rfbproto.c constructs an rfb connection and sends it to the vncviewer component. The vncviewer component is responsible for rendering the rfb connection in the viewer application. Following is the relevant code from rfbpro go

In the rfb connection sent to the vncviewer, the value of data is set to 0xffffffff. However, in the rfb connection received from the vncviewer, data is set to either 0xffff or 0xffffffff. The received data is checked against 0xffffffff and if it is, then an integer signedness error will occur and the connection will be dropped. This is the code responsible for the integer signedness error:

Following is the code responsible for the dropped connection:

7. In TightVNC 1.3.10, there is an integer signedness error and resultant heap-based buffer overflow in Initialise

You will learn more about heap-based buffer overflows in the next section .

On a low level, the vncviewer component receives an rfb connection from the rfbproto.c component and sends it to the function:
The function is responsible for parsing the data in the rfb connection and rendering it in an onscreen window. Following is the code responsible for this:
In 3.2.0, TightVNC does not check for the size of Initialise or Render when creating a connection to a fd, which can lead to heap-based buffer overflows and remote code execution by sending small amounts of data over and over again until successful exploitation.

Insecure Default Input Validation in Initialise

TightVNC 1.3.10 does not perform input validation on the data field of an rfb connection before passing it to the vncviewer component. As a result, if the data field has a value of 0xffff or 0xffffffff, that value will be passed as-is to the vnc viewer component and there will be an integer signedness error leading to a heap-based buffer overflow resulting in remote code execution.

The bug is confirmed on Debian 7 (Wheezy) and Ubuntu 12.04 LTS (Precise Pangolin). This issue was fixed in TightVNC 2.0.11

Timeline

Published on: 01/26/2022 21:15:00 UTC
Last modified on: 02/02/2022 23:06:00 UTC

References

• https://www.tightvnc.com/licensing-server-x11.php
• https://github.com/MaherAzzouzi/CVE-2022-23967
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23967