Date Published: 2001-01-29
Advisory ID: CORE-2001011502
Bugtraq ID: 2306
CVE Name: CAN-2001-0168
Title: ATT VNC Windows Server Buffer Overflow
Class: Boundary Error Condition (Buffer Overflow)
Remotely Exploitable: yes
Locally Exploitable: yes
Release Mode: USER RELEASE
As stated in the VNC home page ( http://www.uk.research.att.com/vnc/ ):
"VNC stands for Virtual Network Computing. It is, in essence, a remote display system which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures"
The ATT VNC server for windows ships with a remotely and locally exploitable buffer overflow if it is configured with a certain debug level.
By providing a specially crafted HTTP request an attacker has the ability to obtain access to the VNC server and execute arbitrary commands with the privileges of the user running the server.
VNC version 3.3.3r7 for Windows.
Contact vendor for an appropriate fix.
In the meantime apply this patch while inside the vnc_winsrc/winvnc directory:
--- Log.cpp Mon Jan 15 18:17:46 2001
+++ Log.cpp Mon Jan 15 18:18:31 2001
@@ -130,7 +130,7 @@
// - Write the log message
- vsprintf(line, format, ap);
+ _vsnprintf(line, sizeof(line)-sizeof(TCHAR), format, ap);
Vendor notified on: 2001-01-15
This vulnerability was found by Emiliano Kargieman, Agustin Azubel and Maximiliano Cáceres from Core SDI.
This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail email@example.com
Buffer overflows in WinVNC server:
The following vulnerability depends on having the registry key 'DebugLevel' with a value greater than 0, and the ability to send the right shellcode.
The VNC server listens on the network for incoming HTTP requests.
In the file vncHTTPConnect.cpp, method vncHTTPConnectThread::DoHTTP, data read from the network is parsed using sscanf( x, "GET %s", s ) into a buffer with 1024 bytes of length.
The request is logged issuing a call to Log::Print() with the following string: "vncHTTPConnect.cpp : " + s + " file requested
In turn, Log::Print() (in Log.h) calls the private method ReallyPrint() (in Log.cpp) which calls in turn vsprintf(3) with a local buffer of fixed length (1024 bytes). Since the length of the string might be as long as 1024 + 38 = 1062 bytes, the saved return address in the stack can be overwritten, allowing the attacker to execute arbitrary code with the privileges of the account running the VNC server.
The content of this advisory are copyright (c) 2001 CORE SDI Inc. and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.