[Full-disclosure] Re: Buffer-overflow in Ultr@VNC 1.0.1 viewer and server

jalvare7@xxxxxxxxxxx wrote:
Could you confirm my impression that the server vulnerability can only
overflow the buffer in 3 bytes?

Yes, the buffer is overflowed just by those 3 bytes plus the Windows
error message created with FormatMessage().


Is there a way to exploit this for code execution, or would it
be limited to DoS?,

Exactly, that's why I have identified it as a "limited" buffer-overflow.
Limited just because the attacker has no control for executing malicious
code, I use this strange term when the return address cannot be
overwritten with the original bytes sent by the attacker.
While I think that the buffer-overflow term is necessary because it's
just what happens, although snprintf handles the attacker's input
correctly.
Anyway if someone has ideas for better and more exact terms I'm open to
suggestions.


How could one control the result of the FormatMessage for any of those
two purpouses?

As far as I know the attacker has no ways for changing or modifying the
error message because it's handled by the operating system through
GetLastError (retrieves the system error number) and FormatMessage
(creates a text message for that specific system error).

Oh last note, I have updated my advisory for this second bug [B] adding
an important detail about the exploitation which I forgot yesterday:

The only way I have found for exploiting this bug (moreover without
authentication) is through the sending of a HTTP request with an URI of
about 1024 bytes to the built-in webserver used for allowing the
clients to download the Java viewer.
The service runs on port 5800 and is enabled by default.


BYEZ


---
Luigi Auriemma
http://aluigi.altervista.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: why the usage of gets() is dangerous.
    ... that is to say one that always terminates the program ... with an error message if the buffer is exceeded. ... You have to make it safe within the guarantees provided by the C ...
    (comp.lang.c)
  • Re: Buffer-overflow in Ultr@VNC 1.0.1 viewer and server
    ... overflow the buffer in 3 bytes? ... the buffer is overflowed just by those 3 bytes plus the Windows ... error message created with FormatMessage. ... Limited just because the attacker has no control for executing malicious ...
    (Bugtraq)
  • Re: Texturing fails silently, objects are all white
    ... in 16-bit mode so multiplied by 2 to account for a back buffer, ... I would like where necessary to downsample, or output an error message ... >> couldn't find any way to detect failure. ... Should I used the default pool ...
    (microsoft.public.win32.programmer.directx.graphics)
  • Re: giving up on 1 buffers error messsage
    ... > buffer cache was not successfully flushed to disk, ... > Since the syncer process runs periodically, can this error message be ... > avoided if we wait long enough to guarantee flushing to disk (I have tried ... > (not during shutdown, but to take a checkpoint), so I am not sure if that ...
    (freebsd-hackers)
  • Buffer overflows in ircII-based clients
    ... I had been pretty sure for years that malicious servers can ... This means that these clients are safe when they're connected to standard ... buffer in stack if channel name is large enough. ... That alone can overflow the buffer. ...
    (Bugtraq)