Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[CORE SDI ADVISORY] WinVNC client buffer overflow

From: Iván Arce <core.lists.bugtraq () CORE-SDI COM>
Date: Mon, 29 Jan 2001 19:04:59 -0300
                               CORE SDI
                        http://www.core-sdi.com

 Vulnerability report for buffer overflow in ATT WinVNC client



Date Published: 2001-01-29

Advisory ID: CORE-2001011503

Bugtraq ID: 2305

CVE CAN: None currently assigned.

Title; ATT VNC Windows Client Buffer Overflow

Class: Boundary Error Condition (Buffer Overflow)

Remotely Exploitable: yes

Locally Exploitable: yes

Release Mode: USER RELEASE

Vulnerability Description:

 As stated in the VNC home page ( http://www.uk.research.att.com/vnc/ ):

 "VNC stands for Virtual Network Computing. It is, in essence, a
 remote display system which allows you to view a computing 'desktop'
 environment not only on the machine where it is running, but from anywhere
 on the Internet and from a wide variety of machine architectures"

 The ATT VNC client ships with a remotely exploitable buffer overflow.
 By prodiving a specially crafted response a malicious server has the
 ability to obtain access to the client machine and execute arbitrary
 commands as the user running the client software.

 As VNC is generally used for, among other things, remote management of
 systems outside of the owners network (i.e. collocated sites) an
 attack scenario for this vulnerability is of interest since it might
 imply the escalation of an attack from a less secured network environment
 (i.e. exposed web servers on a CoLo site) to  more secured network
 environment (i.e.  an internal network or the NOC that performs remote
 administration of the CoLo site).

Vulnerable Packages/Systems:

 WinVNC up to version 3.3.3r7


Solution/Vendor Information/Workaround:

  Contact vendor for an appropriate fix.

  In the meantime apply this patch while inside the vnc_winsrc/vncviewer
  directory:

--- Log.cpp Mon Jan 15 17:51:17 2001
+++ Log.cpp Mon Jan 15 17:52:00 2001
@@ -124,7 +124,7 @@
 void Log::ReallyPrint(LPTSTR format, va_list ap)
 {
     TCHAR line[LINE_BUFFER_SIZE];
-    _vstprintf(line, format, ap);
+    _vsntprintf(line, sizeof(line) - sizeof(TCHAR), format, ap);
     if (m_todebug) OutputDebugString(line);

     if (m_toconsole) {
@@ -146,7 +146,7 @@
 void Log::ReallyPrint(LPTSTR format, va_list ap)
 {
     TCHAR line[LINE_BUFFER_SIZE];
-    _vstprintf(line, format, ap);
+    _vsntprintf(line, sizeof(line) - sizeof(TCHAR), format, ap);
     if (m_todebug) OutputDebugString(line);

     if (m_tofile && (hlogfile != NULL)) {

  This patch can also be downloaded from
  ftp://ftp.core-sdi.com/pub/patches/VNC-clientBO.patch

Vendor notified on: 2001-15-01


Credits:

 This vulnerability was found by Emiliano Kargieman, Agustin Azubel
 and Maximiliano Caceres from Core SDI, http://www.core-sdi.com

 This advisory was drafted with the help of the SecurityFocus.com
 Vulnerability Help Team. For more information or assistance drafting
 advisories please mail vulnhelp () securityfocus com.

 This and other CORE SDI security advisories are available at
 http://www.core-sdi.com/english/publications.html


Technical Description:

 Buffer overflow in WinVNC client:

 A malicious server can exploit a buffer overflow in the client by sending a
 fake server version and instead of the challenge method and the challenge
 itself the following packet:

 A rfbConnFailed packet with a length of 'reason' greater than 1024 and a
 'reason string' of 1024 bytes. The client will try to log the reason string
 calling the Log::Print method (ClientConnection.cpp, class
ClientConnection,
 method Authenticate, line 434).
 Log::Print (Log.h, line 61) calls Log::ReallyPrint (Log.cpp) which calls
 _vstprintf with a local buffer of fixed length (1024 bytes).

 Exploitation of the above problem will led to the execution of arbitrary
 code on the client machine with the privileges of the user running the
 VNC client.


DISCLAIMER:

 The content of this advisory are copyright (c) 2000 CORE SDI Inc.
 and may be distributed freely provided that no fee is charged for this
 distribution and proper credit is given.

$Id: VNC-clientbo-advisory.txt,v 1.7 2001/01/29 21:26:45 iarce Exp $

---

"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce


==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : iarce () core-sdi com
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAC Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
=====================================================================





--- For a personal reply use iarce () core-sdi com
Previous By Date Next
Previous By Thread Next

Current thread: