COMMAND

    VNC

SYSTEMS AFFECTED

    WinVNC up to version 3.3.3r7

PROBLEM

    Folllowing is based on a CORE SDI Advisory CORE-2001011503.   "VNC
    stands for Virtual Network Computing.  It is, in essence, a remote
    display  system  which  allows  you  to view a computing 'desktop'
    environment not only on the machine where it is running, but  from
    anywhere  on  the  Internet  and  from  a  wide variety of machine
    architectures

    The  ATT  VNC  client  ships  with  a  remotely exploitable buffer
    overflow.  By prodiving  a specially crafted response  a malicious
    server has the ability to obtain access to the client machine  and
    execute  arbitrary  commands  as  the  user  running  the   client
    software.

    As  VNC  is  generally  used  for,  among  other  things,   remote
    management  of  systems  outside  of  the  owners  network   (i.e.
    collocated sites) an attack scenario for this vulnerability is  of
    interest since it might imply  the escalation of an attack  from a
    less secured network  environment (i.e. exposed  web servers on  a
    CoLo site) to more  secured network environment (i.e.  an internal
    network or the NOC that performs remote administration of the CoLo
    site).

    This vulnerability was found by Emiliano Kargieman, Agustin Azubel
    and Maximiliano Caceres from Core SDI.

    A malicious server can exploit a buffer overflow in the client  by
    sending a fake server version and instead of the challenge  method
    and the challenge itself the following packet:

    A rfbConnFailed packet with a length of 'reason' greater than 1024
    and a 'reason string'  of 1024 bytes. The  client will try to  log
    the    reason    string    calling    the    Log::Print     method
    (ClientConnection.cpp, class ClientConnection, method Authenticate
    line 434).

    Log::Print (Log.h, line 61) calls Log::ReallyPrint (Log.cpp) which
    calls _vstprintf with a local buffer of fixed length (1024 bytes).

    Exploitation of  the above  problem will  led to  the execution of
    arbitrary code on  the client machine  with the privileges  of the
    user running the VNC client.

SOLUTION

    Contact vendor for an appropriate fix.  In the meantime apply this
    patch while inside the vnc_winsrc/vncviewer directory:

    --- Log.cpp Mon Jan 15 17:51:17 2001
    +++ Log.cpp Mon Jan 15 17:52:00 2001
    @@ -124,7 +124,7 @@
     void Log::ReallyPrint(LPTSTR format, va_list ap)
     {
         TCHAR line[LINE_BUFFER_SIZE];
    -    _vstprintf(line, format, ap);
    +    _vsntprintf(line, sizeof(line) - sizeof(TCHAR), format, ap);
         if (m_todebug) OutputDebugString(line);
    
         if (m_toconsole) {
    @@ -146,7 +146,7 @@
     void Log::ReallyPrint(LPTSTR format, va_list ap)
     {
         TCHAR line[LINE_BUFFER_SIZE];
    -    _vstprintf(line, format, ap);
    +    _vsntprintf(line, sizeof(line) - sizeof(TCHAR), format, ap);
         if (m_todebug) OutputDebugString(line);
    
         if (m_tofile && (hlogfile != NULL)) {