search menu icon-carat-right cmu-wordmark

CERT Coordination Center

AT&T WinVNC server contains buffer overflow in Log.cpp

Vulnerability Note VU#598581

Original Release Date: 2001-06-28 | Last Revised: 2001-06-28

Overview

A buffer overflow in the WinVNC server on Windows systems can allow an intruder to gain control of the VNC server and execute arbitrary code with the privileges of the user running the server.

Description

AT&T WinVNC is a free software package available from AT&T Labs Cambridge that allows users to interact with the desktop of a remote Windows host. By providing a specially crafted HTTP request to the VNC server, an attacker can overflow a buffer in Log.cpp, resulting in access to the VNC server and the ability to execute arbitrary code with the privileges of the user running the server. It is worth noting that the VNC server does not listen on 80/tcp by default. See the following url:

http://www.uk.research.att.com/vnc/faq.html#q52

Impact

Local and remote users can execute arbitrary code with the privileges of the user running the server.

Solution

Apply this patch while inside the vnc_winsrc/winvnc
directory:

--- Log.cpp Mon Jan 15 18:17:46 2001
+++ Log.cpp Mon Jan 15 18:18:31 2001
@@ -130,7 +130,7 @@

// - Write the log message
TCHAR line[LINE_BUFFER_SIZE];
- vsprintf(line, format, ap);
+ _vsnprintf(line, sizeof(line)-sizeof(TCHAR), format, ap);
ReallyPrintLine(line);
}

Vendor Information

598581
 

ATT Affected

Notified:  January 15, 2001 Updated: June 15, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://www.kb.cert.org/vuls/id/598581

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Our thanks to CORE SDI for the information contained in their bulletin.

This document was written by Ian A. Finlay and is based on information obtained from a Core SDI Security Advisory.

Other Information

CVE IDs: CVE-2001-0168
Severity Metric: 12.60
Date Public: 2001-01-29
Date First Published: 2001-06-28
Date Last Updated: 2001-06-28 15:57 UTC
Document Revision: 32

Sponsored by CISA.