[Full-Disclosure] SRT2004-01-17-0425 - Ultr@VNC local SYSTEM access.

From: KF (dotslash_at_snosoft.com)
Date: 01/17/04

  • Next message: KF: "[Full-Disclosure] Happy belated Personal Firewall day - SRT2004-01-17-0628 - Agnitum Optpost firewall allows Local SYSTEM access"
    To: bugtraq@securityfocus.com
    Date: Sat, 17 Jan 2004 12:28:42 -0500

    Yeah I know this one is short... theres a couple more on the way with
    more in depth details.



    Secure Network Operations, Inc. http://www.secnetops.com/research
    Strategic Reconnaissance Team research[at]secnetops[.]com
    Team Lead Contact kf[at]secnetops[.]com
    Spam Contact `rm -rf /`@snosoft.com

    Our Mission:
    Secure Network Operations offers expertise in Networking, Intrusion
    Detection Systems (IDS), Software Security Validation, and
    Corporate/Private Network Security. Our mission is to facilitate a
    secure and reliable Internet and inter-enterprise communications
    infrastructure through the products and services we offer.

    To learn more about our company, products and services or to request a
    demo of ANVIL FCS please visit our site at http://www.secnetops.com, or
    call us at: 978-263-3829

    Quick Summary:
    Advisory Number : SRT2004-01-17-0425
    Product : Ultr@VNC
    Version : 1.0.0 RC11 (tested)
    Vendor : http://ultravnc.sourceforge.net/
    Class : Local
    Criticality : High (to Ultr@VNC users)
    Operating System(s) : Win32

    1-2 day Early Warning List:
    Secure Network Operations, inc. will very shortly have its own advisory
    notification mailing list. This list will notify you of advisories 1-2
    days in advance of public release to other mailing lists. To subscribe
    please visit http://advisories.secnetops.com in the immediate future.

    30-60 day Early Warning List:
    Our early warning service will notify you of new vulnerabilities 30-60
    days in advance of public release. This service has been created to protect
    companies by allowing them to repair security vulnerabilities before they
    become public knowledge. To purchase a one year subscription to this
    service please contact us at 978-263-3767.

    Our advisories will contain full details excluding a working Proof of
    Concept. Our web page will contain our working proof of concept for the
    advisory if it exists. Yes folks this is a policy change for us. We
    will exercise our own disgression in regards to delay of exploit release
    vs advisory release. List subscribers will have advanced access to working
    proof of concept code depending on the severity and list subscription type.

    Basic Explanation
    High Level Description : Ultr@VNC provides local SYSTEM access.

    What to do : remove faulty ShellExecute() statements.

    Basic Technical Details
    Proof Of Concept Status : SNO has Proof of Concept.

    Low Level Description : Ultr@VNC is a client/server software that allows
    you to remotely control a computer over any TCP/IP connection as if you
    were in front of it. It is Free and distributed under the terms of the GNU
    General Public License. Ultr@VNC supports Win9x/Me/NT4/Win2000/XP.

    [kfinisterre@CloneRiot Ultravnc]$ grep ShellExecute . -rn
    ./src/ultravnc/winvnc/winvnc/vncmenu.cpp:423: ShellExecute(GetDesktopWindow(),
    "open", "http://ultravnc.sourceforge.net/help.htm", "", 0, SW_SHOWNORMAL);
    ./src/ultravnc/winvnc/winvnc/vncmenu.cpp:426: ShellExecute(GetDesktopWindow(),
    "open", "http://ultravnc.sourceforge.net/index.html", "", 0, SW_SHOWNORMAL);
    Binary file ./winvnc.exe matches
    Binary file ./french/winvnc.exe matches

    In order to exploit this issue you simply need to right click on the tray
    icon for Ultr@VNC, select either "Online Help" or "Home Page". You will
    find that IEXPLORE.EXE is running as SYSTEM. You can simply type in the
    address bar "C:\WINNT\SYSTEM32" and press enter. Locate cmd.exe and right
    click on it and selece Open. At this point in time you will have a command
    prompt running as SYSTEM.

    An example of exploitation can be viewed (without registration) at:

    Vendor Status : Vendor is working on a fix for this issue. A vendor
    supplied patch should be supplied in the next release.

    Work Around : Comment out the ShellExecute() statements on both
    line 423 and 426 of vncmenu.cpp. Recompile and reinstall the app.

    Bugtraq URL : To be assigned.

    This advisory was released by Secure Network Operations,Inc. as a matter
    of notification to help administrators protect their networks against
    the described vulnerability. Release of exploit code is done at our
    own disgression.
    All content of this advisory is property of Secure Network Operations.
    Secure Network Operations, Inc. || http://www.secnetops.com
    "Embracing the future of technology, protecting you."


    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: KF: "[Full-Disclosure] Happy belated Personal Firewall day - SRT2004-01-17-0628 - Agnitum Optpost firewall allows Local SYSTEM access"