CORE SDI http://www.core-sdi.com Vulnerability report for server overflow in ATT VNC for Windows Date Published: 2001-01-29 Advisory ID: CORE-2001011502 Bugtraq ID: 2306 CVE CAN: None currently assigned. Title; ATT VNC Windows Server Buffer Overflow Class: Boundary Error Condition (Buffer Overflow) Remotely Exploitable: yes Locally Exploitable: yes Release Mode: USER RELEASE Vulnerability Description: As stated in the VNC home page ( http://www.uk.research.att.com/vnc/ ): "VNC stands for Virtual Network Computing. It is, in essence, a remote display system which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures" The ATT VNC server for windows ships with a remotely and locally exploitable buffer overflow if it is configured with a certain debug level. By providing a specially crafted HTTP request an attacker has the ability to obtain access to the VNC server and execute arbitrary commands with the privileges of the user running the server. Vulnerable Packages/Systems: VNC version 3.3.3r7 for Windows. Solution/Vendor Information/Workaround: Contact vendor for an appropriate fix. In the meantime apply this patch while inside the vnc_winsrc/winvnc directory: --- Log.cpp Mon Jan 15 18:17:46 2001 +++ Log.cpp Mon Jan 15 18:18:31 2001 @@ -130,7 +130,7 @@ // - Write the log message TCHAR line[LINE_BUFFER_SIZE]; - vsprintf(line, format, ap); + _vsnprintf(line, sizeof(line)-sizeof(TCHAR), format, ap); ReallyPrintLine(line); } This patch can also be downloaded from: ftp://ftp.core-sdi.com/pub/patches/VNC-serverBO.patch Vendor notified on: 2001-01-15 Credits: This vulnerability was found by Emiliano Kargieman, Agustin Azubel and Maximiliano Caceres from Core SDI, http://www.core-sdi.com This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail [EMAIL PROTECTED] This and other CORE SDI security advisories are available at http://www.core-sdi.com/english/publications.html Technical Description: Buffer overflows in WinVNC server: The following vulnerability depends on having the registry key 'DebugLevel' with a value greater than 0, and the ability to send the right shellcode. The VNC server listens on the network for incoming HTTP requests. In the file vncHTTPConnect.cpp, method vncHTTPConnectThread::DoHTTP, data read from the network is parsed using sscanf( x, "GET %s", s ) into a buffer with 1024 bytes of length. The request is logged issuing a call to Log::Print() with the following string: "vncHTTPConnect.cpp : " + s + " file requested\n". In turn, Log::Print() (in Log.h) calls the private method ReallyPrint() (in Log.cpp) which calls in turn vsprintf(3) with a local buffer of fixed length (1024 bytes). Since the length of the string might be as long as 1024 + 38 = 1062 bytes, the saved return address in the stack can be overwritten, allowing the attacker to execute arbitrary code with the privileges of the account running the VNC server. DISCLAIMER: The content of this advisory are copyright (c) 2000 CORE SDI Inc. and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. $Id: VNC-serverbo-advisory.txt,v 1.9 2001/01/29 21:26:45 iarce Exp $ --- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, Its nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce ==================[ CORE Seguridad de la Informacion S.A. ]========= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email : [EMAIL PROTECTED] http://www.core-sdi.com Florida 141 2do cuerpo Piso 7 C1005AAG Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 ===================================================================== --- For a personal reply use [EMAIL PROTECTED]