OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Iván Arce (core.lists.win2ksecadviceCORE-SDI.COM)
Date: Mon Jan 29 2001 - 16:07:03 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                                   CORE SDI
                            http://www.core-sdi.com

     Vulnerability report for buffer overflow in ATT WinVNC client

    Date Published: 2001-01-29

    Advisory ID: CORE-2001011503

    Bugtraq ID: 2305

    CVE CAN: None currently assigned.

    Title; ATT VNC Windows Client Buffer Overflow

    Class: Boundary Error Condition (Buffer Overflow)

    Remotely Exploitable: yes

    Locally Exploitable: yes

    Release Mode: USER RELEASE

    Vulnerability Description:

     As stated in the VNC home page ( http://www.uk.research.att.com/vnc/ ):

     "VNC stands for Virtual Network Computing. It is, in essence, a
     remote display system which allows you to view a computing 'desktop'
     environment not only on the machine where it is running, but from anywhere
     on the Internet and from a wide variety of machine architectures"

     The ATT VNC client ships with a remotely exploitable buffer overflow.
     By prodiving a specially crafted response a malicious server has the
     ability to obtain access to the client machine and execute arbitrary
     commands as the user running the client software.

     As VNC is generally used for, among other things, remote management of
     systems outside of the owners network (i.e. collocated sites) an
     attack scenario for this vulnerability is of interest since it might
     imply the escalation of an attack from a less secured network environment
     (i.e. exposed web servers on a CoLo site) to more secured network
     environment (i.e. an internal network or the NOC that performs remote
     administration of the CoLo site).

    Vulnerable Packages/Systems:

     WinVNC up to version 3.3.3r7

    Solution/Vendor Information/Workaround:

      Contact vendor for an appropriate fix.

      In the meantime apply this patch while inside the vnc_winsrc/vncviewer
      directory:

    --- Log.cpp Mon Jan 15 17:51:17 2001
    +++ Log.cpp Mon Jan 15 17:52:00 2001
    -124,7 +124,7
     void Log::ReallyPrint(LPTSTR format, va_list ap)
     {
         TCHAR line[LINE_BUFFER_SIZE];
    - _vstprintf(line, format, ap);
    + _vsntprintf(line, sizeof(line) - sizeof(TCHAR), format, ap);
         if (m_todebug) OutputDebugString(line);

         if (m_toconsole) {
    -146,7 +146,7
     void Log::ReallyPrint(LPTSTR format, va_list ap)
     {
         TCHAR line[LINE_BUFFER_SIZE];
    - _vstprintf(line, format, ap);
    + _vsntprintf(line, sizeof(line) - sizeof(TCHAR), format, ap);
         if (m_todebug) OutputDebugString(line);

         if (m_tofile && (hlogfile != NULL)) {

      This patch can also be downloaded from
      ftp://ftp.core-sdi.com/pub/patches/VNC-clientBO.patch

    Vendor notified on: 2001-15-01

    Credits:

     This vulnerability was found by Emiliano Kargieman, Agustin Azubel
     and Maximiliano Caceres from Core SDI, http://www.core-sdi.com

     This advisory was drafted with the help of the SecurityFocus.com
     Vulnerability Help Team. For more information or assistance drafting
     advisories please mail vulnhelpsecurityfocus.com.

     This and other CORE SDI security advisories are available at
     http://www.core-sdi.com/english/publications.html

    Technical Description:

     Buffer overflow in WinVNC client:

     A malicious server can exploit a buffer overflow in the client by sending a
     fake server version and instead of the challenge method and the challenge
     itself the following packet:

     A rfbConnFailed packet with a length of 'reason' greater than 1024 and a
     'reason string' of 1024 bytes. The client will try to log the reason string
     calling the Log::Print method (ClientConnection.cpp, class
    ClientConnection,
     method Authenticate, line 434).
     Log::Print (Log.h, line 61) calls Log::ReallyPrint (Log.cpp) which calls
     _vstprintf with a local buffer of fixed length (1024 bytes).

     Exploitation of the above problem will led to the execution of arbitrary
     code on the client machine with the privileges of the user running the
     VNC client.

    DISCLAIMER:

     The content of this advisory are copyright (c) 2000 CORE SDI Inc.
     and may be distributed freely provided that no fee is charged for this
     distribution and proper credit is given.

    $Id: VNC-clientbo-advisory.txt,v 1.7 2001/01/29 21:26:45 iarce Exp $ 

    ---

    "Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

    ==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : iarcecore-sdi.com
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAC Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
=====================================================================

    --- For a personal reply use iarcecore-sdi.com

    _____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net