[18860] in bugtraq
[CORE SDI ADVISORY] WinVNC client buffer overflow
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Iv=E1n_Arce?=)
Tue Jan 30 13:13:41 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <006901c08a3f$cb37fa30$2e58a8c0@ffornicario>
Date: Mon, 29 Jan 2001 19:04:59 -0300
Reply-To: =?iso-8859-1?Q?Iv=E1n_Arce?= <core.lists.bugtraq@CORE-SDI.COM>
From: =?iso-8859-1?Q?Iv=E1n_Arce?= <core.lists.bugtraq@CORE-SDI.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
CORE SDI
http://www.core-sdi.com
Vulnerability report for buffer overflow in ATT WinVNC client
Date Published: 2001-01-29
Advisory ID: CORE-2001011503
Bugtraq ID: 2305
CVE CAN: None currently assigned.
Title; ATT VNC Windows Client Buffer Overflow
Class: Boundary Error Condition (Buffer Overflow)
Remotely Exploitable: yes
Locally Exploitable: yes
Release Mode: USER RELEASE
Vulnerability Description:
As stated in the VNC home page ( http://www.uk.research.att.com/vnc/ ):
"VNC stands for Virtual Network Computing. It is, in essence, a
remote display system which allows you to view a computing 'desktop'
environment not only on the machine where it is running, but from anywhere
on the Internet and from a wide variety of machine architectures"
The ATT VNC client ships with a remotely exploitable buffer overflow.
By prodiving a specially crafted response a malicious server has the
ability to obtain access to the client machine and execute arbitrary
commands as the user running the client software.
As VNC is generally used for, among other things, remote management of
systems outside of the owners network (i.e. collocated sites) an
attack scenario for this vulnerability is of interest since it might
imply the escalation of an attack from a less secured network environment
(i.e. exposed web servers on a CoLo site) to more secured network
environment (i.e. an internal network or the NOC that performs remote
administration of the CoLo site).
Vulnerable Packages/Systems:
WinVNC up to version 3.3.3r7
Solution/Vendor Information/Workaround:
Contact vendor for an appropriate fix.
In the meantime apply this patch while inside the vnc_winsrc/vncviewer
directory:
--- Log.cpp Mon Jan 15 17:51:17 2001
+++ Log.cpp Mon Jan 15 17:52:00 2001
@@ -124,7 +124,7 @@
void Log::ReallyPrint(LPTSTR format, va_list ap)
{
TCHAR line[LINE_BUFFER_SIZE];
- _vstprintf(line, format, ap);
+ _vsntprintf(line, sizeof(line) - sizeof(TCHAR), format, ap);
if (m_todebug) OutputDebugString(line);
if (m_toconsole) {
@@ -146,7 +146,7 @@
void Log::ReallyPrint(LPTSTR format, va_list ap)
{
TCHAR line[LINE_BUFFER_SIZE];
- _vstprintf(line, format, ap);
+ _vsntprintf(line, sizeof(line) - sizeof(TCHAR), format, ap);
if (m_todebug) OutputDebugString(line);
if (m_tofile && (hlogfile != NULL)) {
This patch can also be downloaded from
ftp://ftp.core-sdi.com/pub/patches/VNC-clientBO.patch
Vendor notified on: 2001-15-01
Credits:
This vulnerability was found by Emiliano Kargieman, Agustin Azubel
and Maximiliano Caceres from Core SDI, http://www.core-sdi.com
This advisory was drafted with the help of the SecurityFocus.com
Vulnerability Help Team. For more information or assistance drafting
advisories please mail vulnhelp@securityfocus.com.
This and other CORE SDI security advisories are available at
http://www.core-sdi.com/english/publications.html
Technical Description:
Buffer overflow in WinVNC client:
A malicious server can exploit a buffer overflow in the client by sending a
fake server version and instead of the challenge method and the challenge
itself the following packet:
A rfbConnFailed packet with a length of 'reason' greater than 1024 and a
'reason string' of 1024 bytes. The client will try to log the reason string
calling the Log::Print method (ClientConnection.cpp, class
ClientConnection,
method Authenticate, line 434).
Log::Print (Log.h, line 61) calls Log::ReallyPrint (Log.cpp) which calls
_vstprintf with a local buffer of fixed length (1024 bytes).
Exploitation of the above problem will led to the execution of arbitrary
code on the client machine with the privileges of the user running the
VNC client.
DISCLAIMER:
The content of this advisory are copyright (c) 2000 CORE SDI Inc.
and may be distributed freely provided that no fee is charged for this
distribution and proper credit is given.
$Id: VNC-clientbo-advisory.txt,v 1.7 2001/01/29 21:26:45 iarce Exp $
---
"Understanding. A cerebral secretion that enables one having it to know
a house from a horse by the roof on the house,
Its nature and laws have been exhaustively expounded by Locke,
who rode a house, and Kant, who lived in a horse." - Ambrose Bierce
==================[ CORE Seguridad de la Informacion S.A. ]=========
Ivan Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
email : iarce@core-sdi.com
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAC Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
=====================================================================
--- For a personal reply use iarce@core-sdi.com
