Vulnerability Report for Server Overflow in ATT VNC for Windows

Advisory ID Internal
CORE-21011502

Bugtraq ID: 2306

CVE Name: CAN-2001-0168

Title: ATT VNC Windows Server Buffer Overflow

Class: Boundary Error Condition (Buffer Overflow)

Remotely Exploitable: yes

Locally Exploitable: yes

Release Mode: USER RELEASE


Vulnerability Description:

As stated in the VNC home page ( http://www.uk.research.att.com/vnc/ ):

"VNC stands for Virtual Network Computing. It is, in essence, a remote display system which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures"

The ATT VNC server for windows ships with a remotely and locally exploitable buffer overflow if it is configured with a certain debug level.
By providing a specially crafted HTTP request an attacker has the ability to obtain access to the VNC server and execute arbitrary commands with the privileges of the user running the server.

Vulnerable Packages/Systems:

VNC version 3.3.3r7 for Windows.

Solution/Vendor Information/Workaround:

Contact vendor for an appropriate fix.

In the meantime apply this patch while inside the vnc_winsrc/winvnc directory:

--- Log.cpp Mon Jan 15 18:17:46 2001
+++ Log.cpp Mon Jan 15 18:18:31 2001
@@ -130,7 +130,7 @@
// - Write the log message
TCHAR line[LINE_BUFFER_SIZE];
- vsprintf(line, format, ap);
+ _vsnprintf(line, sizeof(line)-sizeof(TCHAR), format, ap);
ReallyPrintLine(line);
}

Vendor notified on: 2001-01-15

Credits:

This vulnerability was found by Emiliano Kargieman, Agustin Azubel and Maximiliano Cáceres from Core SDI.
This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail [email protected]

 

Technical Description:

Buffer overflows in WinVNC server:

The following vulnerability depends on having the registry key 'DebugLevel' with a value greater than 0, and the ability to send the right shellcode.
The VNC server listens on the network for incoming HTTP requests.
In the file vncHTTPConnect.cpp, method vncHTTPConnectThread::DoHTTP, data read from the network is parsed using sscanf( x, "GET %s", s ) into a buffer with 1024 bytes of length.
The request is logged issuing a call to Log::Print() with the following string: "vncHTTPConnect.cpp : " + s + " file requested
".
In turn, Log::Print() (in Log.h) calls the private method ReallyPrint() (in Log.cpp) which calls in turn vsprintf(3) with a local buffer of fixed length (1024 bytes). Since the length of the string might be as long as 1024 + 38 = 1062 bytes, the saved return address in the stack can be overwritten, allowing the attacker to execute arbitrary code with the privileges of the account running the VNC server.

DISCLAIMER:
The content of this advisory are copyright (c) 2001 CORE SDI Inc. and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.