1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Attack: VNC Large Error Response CVE-2001-0167

Attack: VNC Large Error Response CVE-2001-0167

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects an attempt to exploit a buffer overflow vulnerability in UltraVNC.

Additional Information

UltraVNC is a client/server remote access suite that allows remote users to access desktops as though they are a local user.

UltraVNC is susceptible to multiple error-logging remote buffer-overflow vulnerabilities. The application fails to properly bounds-check user-supplied input before copying it to insufficiently sized memory buffers.

The first issue is in the client-based 'Log::ReallyPrint()' function in the 'vncviewer/Log.cpp' source file. This function is responsible for logging remote error messages from servers. The vulnerable function uses a 1024-byte memory buffer to receive error messages from the server; if a server returns excessive error message data, adjacent memory will be overrun with attacker-supplied data.

The second issue is in the server-based 'VNCLog::ReallyPrint()' function in the 'winvnc/winvnc/vnclog.cpp' source file. This function is responsible for logging messages to the 'WinVNC.log' log file. If an administrator selects 'Log debug infos to the WinVNC.log file', then this issue becomes exploitable. Reportedly, once this option has been enabled in the past, unselecting the option fails to disable the ability for remote attackers to exploit this issue. This issue may likely be triggered through multiple means that result in the vulnerable logging function being called; however, it has been shown that connecting to the server and sending an HTTP request to a URI with a length of more that 1024 bytes will overrun adjacent memory with attacker-supplied data.

A successful attack may allow remote attackers to execute arbitrary code on a vulnerable computer to gain unauthorized access in the context of the application.

Affected

  • Ultr@VNC Ultr@VNC 1.0.1, 1.0.2

Response

The vendor has released version 1.0.2 to address this issue. Users are advised to contact the vendor for details on obtaining the appropriate updates.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube