Freely subscribe to our NEWSLETTER

Severity: 1/4

Consequences: administrator access/rights, privileged
access/rights, user access/rights, denial of service of computer,
denial of service of service

Provenance: user shell

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: low (1/3)

Number of vulnerabilities in this bulletin: 2

Creation date: 16/10/2009

IMPACTED PRODUCTS

– Unix - plateform

DESCRIPTION OF THE VULNERABILITY

The QEMU emulator can be used to run virtual machines on a host
system. The -vnc option is used to remotely administer guest
systems from a VNC client. This VNC implementation is impacted by
two vulnerabilities.

When an input/output error occurs, the vnc_client_io_error()
function frees the VncState structure. However it is freed again
later. This leads to memory corruption. [grav:1/4; 501131]

When the client generates an error, the vnc_client_error()
function frees the vs structure. However it is used later. This
leads to memory corruption or to a read error. [grav:1/4; 505641]

Those vulnerabilities can be exploited in two different ways.
First an attacker with admin privilege can use a VNC client to
connect to a guest system. In a similar way, an attacker located
in a guest system can send malicious data to the VNC client.

An attacker can therefore use VNC in order to generate a denial of
service or to execute code via QEMU.

CHARACTERISTICS

Identifiers: 501131, 505641, VIGILANCE-VUL-9099

http://vigilance.fr/vulnerability/QEMU-two-vulnerabilities-of-VNC-9099