mailing list archives
[CORE SDI ADVISORY] WinVNC server buffer overflow
From: Iván Arce <core.lists.bugtraq () CORE-SDI COM>
Date: Mon, 29 Jan 2001 19:11:30 -0300
Vulnerability report for server overflow in ATT VNC for Windows
Date Published: 2001-01-29
Advisory ID: CORE-2001011502
Bugtraq ID: 2306
CVE CAN: None currently assigned.
Title; ATT VNC Windows Server Buffer Overflow
Class: Boundary Error Condition (Buffer Overflow)
Remotely Exploitable: yes
Locally Exploitable: yes
Release Mode: USER RELEASE
As stated in the VNC home page ( http://www.uk.research.att.com/vnc/ ):
"VNC stands for Virtual Network Computing. It is, in essence, a
remote display system which allows you to view a computing 'desktop'
environment not only on the machine where it is running, but from anywhere
on the Internet and from a wide variety of machine architectures"
The ATT VNC server for windows ships with a remotely and locally
buffer overflow if it is configured with a certain debug level.
By providing a specially crafted HTTP request an attacker has the ability
obtain access to the VNC server and execute arbitrary commands with the
privileges of the user running the server.
VNC version 3.3.3r7 for Windows.
Contact vendor for an appropriate fix.
In the meantime apply this patch while inside the vnc_winsrc/winvnc
--- Log.cpp Mon Jan 15 18:17:46 2001
+++ Log.cpp Mon Jan 15 18:18:31 2001
@@ -130,7 +130,7 @@
// - Write the log message
- vsprintf(line, format, ap);
+ _vsnprintf(line, sizeof(line)-sizeof(TCHAR), format, ap);
This patch can also be downloaded from:
Vendor notified on: 2001-01-15
This vulnerability was found by Emiliano Kargieman, Agustin Azubel
and Maximiliano Caceres from Core SDI, http://www.core-sdi.com
This advisory was drafted with the help of the SecurityFocus.com
Vulnerability Help Team. For more information or assistance drafting
advisories please mail vulnhelp () securityfocus com
This and other CORE SDI security advisories are available at
Buffer overflows in WinVNC server:
The following vulnerability depends on having the registry key 'DebugLevel'
with a value greater than 0, and the ability to send the right shellcode.
The VNC server listens on the network for incoming HTTP requests.
In the file vncHTTPConnect.cpp, method vncHTTPConnectThread::DoHTTP, data
read from the network is parsed using sscanf( x, "GET %s", s ) into a
with 1024 bytes of length.
The request is logged issuing a call to Log::Print() with the following
string: "vncHTTPConnect.cpp : " + s + " file requested\n".
In turn, Log::Print() (in Log.h) calls the private method ReallyPrint()
(in Log.cpp) which calls in turn vsprintf(3) with a local buffer of fixed
length (1024 bytes). Since the length of the string might be as long as
1024 + 38 = 1062 bytes, the saved return address in the stack can be
overwritten, allowing the attacker to execute arbitrary code with the
privileges of the account running the VNC server.
The content of this advisory are copyright (c) 2000 CORE SDI Inc.
and may be distributed freely provided that no fee is charged for this
distribution and proper credit is given.
$Id: VNC-serverbo-advisory.txt,v 1.9 2001/01/29 21:26:45 iarce Exp $
"Understanding. A cerebral secretion that enables one having it to know
a house from a horse by the roof on the house,
Its nature and laws have been exhaustively expounded by Locke,
who rode a house, and Kant, who lived in a horse." - Ambrose Bierce
==================[ CORE Seguridad de la Informacion S.A. ]=========
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
email : iarce () core-sdi com
Florida 141 2do cuerpo Piso 7
C1005AAG Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
--- For a personal reply use iarce () core-sdi com
- [CORE SDI ADVISORY] WinVNC server buffer overflow Iván Arce (Jan 30)