Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[CORE SDI ADVISORY] WinVNC server buffer overflow

From: Iván Arce <core.lists.bugtraq () CORE-SDI COM>
Date: Mon, 29 Jan 2001 19:11:30 -0300
                               CORE SDI
                        http://www.core-sdi.com

 Vulnerability report for server overflow in ATT VNC for Windows


Date Published: 2001-01-29

Advisory ID: CORE-2001011502

Bugtraq ID: 2306

CVE CAN: None currently assigned.

Title; ATT VNC Windows Server Buffer Overflow

Class: Boundary Error Condition (Buffer Overflow)

Remotely Exploitable: yes

Locally Exploitable: yes

Release Mode: USER RELEASE

Vulnerability Description:

 As stated in the VNC home page ( http://www.uk.research.att.com/vnc/ ):

 "VNC stands for Virtual Network Computing. It is, in essence, a
 remote display system which allows you to view a computing 'desktop'
 environment not only on the machine where it is running, but from anywhere
 on the Internet and from a wide variety of machine architectures"

 The ATT VNC server for windows ships with a remotely and locally
exploitable
 buffer overflow if it is configured with a certain debug level.

 By providing a specially crafted HTTP request an attacker has the ability
to
 obtain access to the VNC server and execute arbitrary commands with the
 privileges of the user running the server.


Vulnerable Packages/Systems:

 VNC version 3.3.3r7 for Windows.


Solution/Vendor Information/Workaround:

  Contact vendor for an appropriate fix.

  In the meantime apply this patch while inside the vnc_winsrc/winvnc
  directory:

--- Log.cpp Mon Jan 15 18:17:46 2001
+++ Log.cpp Mon Jan 15 18:18:31 2001
@@ -130,7 +130,7 @@

  // - Write the log message
  TCHAR line[LINE_BUFFER_SIZE];
-    vsprintf(line, format, ap);
+    _vsnprintf(line, sizeof(line)-sizeof(TCHAR), format, ap);
  ReallyPrintLine(line);
 }

  This patch can also be downloaded from:
  ftp://ftp.core-sdi.com/pub/patches/VNC-serverBO.patch


Vendor notified on: 2001-01-15

Credits:

 This vulnerability was found by Emiliano Kargieman, Agustin Azubel
 and Maximiliano Caceres from Core SDI, http://www.core-sdi.com

 This advisory was drafted with the help of the SecurityFocus.com
 Vulnerability Help Team. For more information or assistance drafting
 advisories please mail vulnhelp () securityfocus com.

 This and other CORE SDI security advisories are available at
 http://www.core-sdi.com/english/publications.html


Technical Description:

 Buffer overflows in WinVNC server:

 The following vulnerability depends on having the registry key 'DebugLevel'
 with a value greater than 0, and the ability to send the right shellcode.

 The VNC server listens on the network for incoming HTTP requests.
 In the file vncHTTPConnect.cpp, method vncHTTPConnectThread::DoHTTP, data
 read from the network is parsed using sscanf( x, "GET %s", s ) into a
buffer
 with 1024 bytes of length.
 The request is logged issuing a call to Log::Print() with the following
 string: "vncHTTPConnect.cpp : " + s + " file requested\n".

 In turn, Log::Print() (in Log.h) calls the private method ReallyPrint()
 (in Log.cpp) which calls in turn vsprintf(3) with a local buffer of fixed
 length (1024 bytes). Since the length of the string might be as long as
 1024 + 38 = 1062 bytes, the saved return address in the stack can be
 overwritten, allowing the attacker to execute arbitrary code with the
 privileges of the account running the VNC server.


DISCLAIMER:

 The content of this advisory are copyright (c) 2000 CORE SDI Inc.
 and may be distributed freely provided that no fee is charged for this
 distribution and proper credit is given.

$Id: VNC-serverbo-advisory.txt,v 1.9 2001/01/29 21:26:45 iarce Exp $

---

"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce


==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : iarce () core-sdi com
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAG Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
=====================================================================





--- For a personal reply use iarce () core-sdi com
Previous By Date Next
Previous By Thread Next

Current thread: