Vigil@nce: QEMU, two vulnerabilities of VNC
October 2009 by Vigil@nce
An attacker can use VNC in order to generate a denial of service
or to execute code via QEMU.
Severity: 1/4
Consequences: administrator access/rights, privileged
access/rights, user access/rights, denial of service of computer,
denial of service of service
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: low (1/3)
Number of vulnerabilities in this bulletin: 2
Creation date: 16/10/2009
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The QEMU emulator can be used to run virtual machines on a host
system. The -vnc option is used to remotely administer guest
systems from a VNC client. This VNC implementation is impacted by
two vulnerabilities.
When an input/output error occurs, the vnc_client_io_error()
function frees the VncState structure. However it is freed again
later. This leads to memory corruption. [grav:1/4; 501131]
When the client generates an error, the vnc_client_error()
function frees the vs structure. However it is used later. This
leads to memory corruption or to a read error. [grav:1/4; 505641]
Those vulnerabilities can be exploited in two different ways.
First an attacker with admin privilege can use a VNC client to
connect to a guest system. In a similar way, an attacker located
in a guest system can send malicious data to the VNC client.
An attacker can therefore use VNC in order to generate a denial of
service or to execute code via QEMU.
CHARACTERISTICS
Identifiers: 501131, 505641, VIGILANCE-VUL-9099
http://vigilance.fr/vulnerability/QEMU-two-vulnerabilities-of-VNC-9099