Vulnerability Report for buffer overflow in ATT WinVNC client

Vulnerability Report for buffer overflow in ATT WinVNC client

Date Published: 2001-01-29

Advisory ID: CORE-2001011503

Bugtraq ID: 2305

CVE Name: CAN-2001-0167

Title: ATT VNC Windows Client Buffer Overflow

Class: Boundary Error Condition (Buffer Overflow)

Remotely Exploitable: yes

Locally Exploitable: yes

Release Mode: USER RELEASE

Vulnerability Description:
As stated in the VNC home page ( http://www.uk.research.att.com/vnc/ ):
"VNC stands for Virtual Network Computing. It is, in essence, a remote display system which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures"

The ATT VNC client ships with a remotely exploitable buffer overflow.

By providing a specially crafted response a malicious server has the ability to obtain access to the client machine and execute arbitrary commands as the user running the client software.

As VNC is generally used for, among other things, remote management of systems outside of the owners network (i.e. collocated sites) an attack scenario for this vulnerability is of interest since it might imply the escalation of an attack from a less secured network environment (i.e. exposed web servers on a CoLo site) to more secured network environment (i.e. an internal network or the NOC that performs remote administration of the CoLo site).

Vulnerable Packages/Systems:
WinVNC up to version 3.3.3r7

Solution/Vendor Information/Workaround:
Contact vendor for an appropriate fix.

In the meantime apply this patch while inside the vnc_winsrc/vncviewer directory:

--- Log.cpp Mon Jan 15 17:51:17 2001

+++ Log.cpp Mon Jan 15 17:52:00 2001

@@ -124,7 +124,7 @@

void Log::ReallyPrint(LPTSTR format, va_list ap)

{

TCHAR line[LINE_BUFFER_SIZE];

- _vstprintf(line, format, ap);

+ _vsntprintf(line, sizeof(line) - sizeof(TCHAR), format, ap);

if (m_todebug) OutputDebugString(line);

if (m_toconsole) {

@@ -146,7 +146,7 @@

void Log::ReallyPrint(LPTSTR format, va_list ap)

{

TCHAR line[LINE_BUFFER_SIZE];

- _vstprintf(line, format, ap);

+ _vsntprintf(line, sizeof(line) - sizeof(TCHAR), format, ap);

if (m_todebug) OutputDebugString(line);

if (m_tofile && (hlogfile != NULL)) {

Vendor notified on: 2001-15-01

Credits:

This vulnerability was found by Emiliano Kargieman, Agustin Azubel Friedman and Maximiliano Cáceres from Core SDI.

This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail vulnhelp@securityfocus.com

Technical Description:
Buffer overflow in WinVNC client:

A malicious server can exploit a buffer overflow in the client by sending a fake server version and instead of the challenge method and the challenge itself the following packet:

A rfbConnFailed packet with a length of 'reason' greater than 1024 and a 'reason string' of 1024 bytes. The client will try to log the reason string calling the Log::Print method (ClientConnection.cpp, class ClientConnection, method Authenticate, line 434).

Log::Print (Log.h, line 61) calls Log::ReallyPrint (Log.cpp) which calls vstprintf with a local buffer of fixed length (1024 bytes).

Exploitation of the above problem will led to the execution of arbitrary code on the client machine with the privileges of the user running the VNC client.

DISCLAIMER:
The content of this advisory are copyright (c) 2001 CORE SDI Inc. and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.