AT&T WinVNC Server Buffer Overflow Vulnerability
BID:2306
Info
AT&T WinVNC Server Buffer Overflow Vulnerability
| Bugtraq ID: | 2306 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2001-0168 |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 29 2001 12:00AM |
| Updated: | Jul 11 2009 04:46AM |
| Credit: | This vulnerability was discovered by Emiliano Kargieman, Agustin Azubel, and Maximiliano Caceres of Core SDI, and announced to Bugtraq via a Core SDI Advisory on January 29, 2001. |
| Vulnerable: |
AT&T WinVNC Server 3.3.3 r7 |
| Not Vulnerable: | |
Discussion
AT&T WinVNC Server Buffer Overflow Vulnerability
WinVNC is a freely available software package designed to give remote desktop access to servers using the client/server. It is distributed and maintained by AT&T.
A problem with the WinVNC server could allow remote users to arbitrarily execute code. The problem is due to the handling of HTTP requests when a non-zero debug level has been set. HTTP requests are placed into a buffer of 1024 bytes, and when the Windows registry key DebugLevel is set to a value greater than 0, the HTTP request is logged using the method ReallyPrint(), which contains a fixed buffer of 1024 bytes. It is possible to generate a custom crafted HTTP request to the WinVNC server that will overwrite variables on the stack, including the return address.
A malicious user can use this vulnerability to execute arbitrary code with privileges of the WinVNC server process, and potentially gain access to the local system.
WinVNC is a freely available software package designed to give remote desktop access to servers using the client/server. It is distributed and maintained by AT&T.
A problem with the WinVNC server could allow remote users to arbitrarily execute code. The problem is due to the handling of HTTP requests when a non-zero debug level has been set. HTTP requests are placed into a buffer of 1024 bytes, and when the Windows registry key DebugLevel is set to a value greater than 0, the HTTP request is logged using the method ReallyPrint(), which contains a fixed buffer of 1024 bytes. It is possible to generate a custom crafted HTTP request to the WinVNC server that will overwrite variables on the stack, including the return address.
A malicious user can use this vulnerability to execute arbitrary code with privileges of the WinVNC server process, and potentially gain access to the local system.
Exploit / POC
AT&T WinVNC Server Buffer Overflow Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
AT&T WinVNC Server Buffer Overflow Vulnerability
References:
References: