AT&T WinVNC Client Buffer Overflow Vulnerability
by platon on January 30th, 2001 VNC is the Virtual Network Computing package, a freely available remote administration package designed to allow access to a remote system desktop. It is distributed and maintained by AT&T...
A problem with the client portion of the package could allow a remote user to execute arbitrary code. This is due to the handling of the rfbConnFailed packet sent from the server to the client during connection and authentication. This error response normally signals the client that the connection attempt has failed, at which time the client passes the contents of the packet through a logging routine for future administrative reference. However, by spoofing the version number of the server, and sending the rfbConnFailed packet with a reason string of 1024 bytes, and a reason length of greater than 1024 bytes, an overflow will occur. This overflow could be used to overwrite stack variables, including the return address, and execute arbitrary code.
This problem makes it possible for a user with malicious motives to execute code on a remote system, with the privileges of the user of the WinVNC client.
[Homepage]
This vulnerability was discovered by Emiliano Kargieman, Agustin Azubel, and Maximiliano Caceres of Core-SDI, and announced to Bugtraq a Core-SDI Security Advisory on January 29, 2001.