CVE-2008-0610

UltraVNC 1.0.2 and 1.0.4 - Stack-based Buffer Overflow in ClientConnection::NegotiateProtocolVersion

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2008-0610. PoCs published by Metasploit, including Metasploit module exploits/windows/vnc/ultravnc_viewer_bof.

AI-analyzed exploit summary This exploit targets a buffer overflow in UltraVNC Viewer 1.0.2 by sending a maliciously crafted response to a client connection, leveraging a trusted size integer to overflow a stack-based buffer. It achieves remote code execution by overwriting the return address with a pop/pop/ret gadget.

Description

Stack-based buffer overflow in the ClientConnection::NegotiateProtocolVersion function in vncviewer/ClientConnection.cpp in vncviewer for UltraVNC 1.0.2 and 1.0.4 before 01252008, when in LISTENING mode or when using the DSM plugin, allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a modified size value.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/18666

This exploit targets a buffer overflow in UltraVNC Viewer 1.0.2 by sending a maliciously crafted response to a client connection, leveraging a trusted size integer to overflow a stack-based buffer. It achieves remote code execution by overwriting the return address with a pop/pop/ret gadget.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: UltraVNC Viewer 1.0.2
No auth needed
Prerequisites: Network access to the target's VNC port (5900 by default) · Target must initiate a connection to the malicious server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/vnc/ultravnc_viewer_bof.rb

This Metasploit module exploits a buffer overflow in UltraVNC Viewer 1.0.2 by sending a maliciously crafted response to a client connection, triggering a stack-based overflow when the client reads a trusted size into a fixed-length buffer. The exploit leverages a specific minor protocol version (14 or 16) to bypass checks and execute arbitrary payloads.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: UltraVNC Viewer 1.0.2
No auth needed
Prerequisites: Network access to the target · Target must initiate a connection to the malicious server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/27561
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/721460
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/28747
Various Sources x_refsource_confirm
http://forum.ultravnc.info/viewtopic.php?t=11850
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/18666
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1019293
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/0392

Scores

EPSS 0.3876
EPSS Percentile 98.4%

Details

CWE
CWE-119
Status published
Products (5)
ultravnc/ultravnc 1.0.2
ultravnc/ultravnc 1.0.4
ultravnc/ultravnc 1.0.4_rc6
ultravnc/ultravnc 1.0.4_rc7
ultravnc/ultravnc 1.0.4_rc8
Published Feb 06, 2008
Tracked Since Feb 18, 2026