Vulnerabilities > CVE-2009-0388 - Numeric Errors vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Multiple integer signedness errors in (1) UltraVNC 1.0.2 and 1.0.5 and (2) TightVnc 1.3.9 allow remote VNC servers to cause a denial of service (heap corruption and application crash) or possibly execute arbitrary code via a large length value in a message, related to the (a) ClientConnection::CheckBufferSize and (b) ClientConnection::CheckFileZipBufferSize functions in ClientConnection.cpp.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| Application | 2 |
Common Weakness Enumeration (CWE)
Exploit-Db
description UltraVNC/TightVNC Multiple VNC Clients Multiple Integer Overflow PoC. CVE-2009-0388. Dos exploit for windows platform file exploits/windows/dos/7990.py id EDB-ID:7990 last seen 2016-02-01 modified 2009-02-04 platform windows port published 2009-02-04 reporter Andres Luksenberg source https://www.exploit-db.com/download/7990/ title UltraVNC/TightVNC Multiple VNC Clients Multiple Integer Overflow PoC type dos description TightVNC Authentication Failure Integer Overflow PoC. CVE-2009-0388. Dos exploit for windows platform file exploits/windows/dos/8024.py id EDB-ID:8024 last seen 2016-02-01 modified 2009-02-09 platform windows port published 2009-02-09 reporter desi source https://www.exploit-db.com/download/8024/ title TightVNC Authentication Failure Integer Overflow PoC type dos
Nessus
NASL family Windows NASL id ULTRAVNC_1_0_5_4.NASL description The installed version of UltraVNC Viewer is earlier than 1.0.5.4. Such versions reportedly miscalculate a buffer size on the heap. If an attacker can trick a user on the remote host into connecting to a malicious server, the attacker can probably exploit this issue using specially crafted messages to execute code on the affected host subject to the user last seen 2020-06-01 modified 2020-06-02 plugin id 35608 published 2009-02-06 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35608 title UltraVNC Viewer < 1.0.5.4 Multiple Integer Overflows code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(35608); script_version("1.12"); script_cvs_date("Date: 2019/09/16 11:41:12"); script_cve_id("CVE-2009-0388"); script_bugtraq_id(33568); script_name(english:"UltraVNC Viewer < 1.0.5.4 Multiple Integer Overflows"); script_summary(english:"Checks version of vncviewer.exe"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host has an application that is affected by multiple integer overflows."); script_set_attribute(attribute:"description", value: "The installed version of UltraVNC Viewer is earlier than 1.0.5.4. Such versions reportedly miscalculate a buffer size on the heap. If an attacker can trick a user on the remote host into connecting to a malicious server, the attacker can probably exploit this issue using specially crafted messages to execute code on the affected host subject to the user's privileges. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://www.coresecurity.com/content/vnc-integer-overflows"); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/500632/30/0/threaded" ); script_set_attribute(attribute:"see_also", value:"http://www.uvnc.com/download/1054/" ); script_set_attribute(attribute:"solution", value:"Upgrade to UltraVNC 1.0.5.4 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2009-0388"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(189); script_set_attribute(attribute:"plugin_publication_date", value:"2009/02/06"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ultravnc:ultravnc"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smb_enum_services.nasl", "smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include('smb_func.inc'); include('audit.inc'); include('smb_hotfixes.inc'); if (!get_kb_item('SMB/Registry/Enumerated')) exit(0); # Detect where UltraVNC's installed. list = get_kb_list('SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName'); if (isnull(list)) exit(0); key = NULL; foreach name (keys(list)) { prod = list[name]; if (prod && prod =~ "^UltraVNC") { key = ereg_replace(pattern:"^SMB\/Registry\/HKLM\/(.+)\/DisplayName$", replace:"\1", string:name); key = str_replace(find:"/", replace:"\", string:key); break; } } if (isnull(key)) exit(0); # Connect to the appropriate share. name = kb_smb_name(); port = kb_smb_transport(); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init'); rc = NetUseAdd(login:login, password:pass, domain:domain, share:'IPC$'); if (rc != 1) { NetUseDel(); exit(0); } # Connect to remote registry. hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE); if (isnull(hklm)) { NetUseDel(); exit(0); } # Find the install path. path = NULL; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { item = RegQueryValue(handle:key_h, item:'InstallLocation'); if (!isnull(item)) { path = item[1]; path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:path); } RegCloseKey(handle:key_h); } RegCloseKey(handle:hklm); if (isnull(path)) { NetUseDel(); exit(0); } # Grab the version and description from the executable. share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path); exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\vncviewer.exe", string:path); NetUseDel(close:FALSE); rc = NetUseAdd(login:login, password:pass, domain:domain, share:share); if (rc != 1) { NetUseDel(); exit(0); } fh = CreateFile( file:exe, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING ); ver = NULL; if (!isnull(fh)) { ver = GetFileVersion(handle:fh); CloseFile(handle:fh); } NetUseDel(); # Check the version number. if (!isnull(ver)) { fix = split('1.0.5.4', sep:'.', keep:FALSE); for (i=0; i<max_index(fix); i++) fix[i] = int(fix[i]); for (i=0; i<max_index(ver); i++) if ((ver[i] < fix[i])) { if (report_verbosity) { version = ver[0] + '.' + ver[1] + '.' + ver[2] + '.' + ver[3]; report = '\n' + 'UltraVNC Viewer ' + version + ' is installed under :\n' + '\n' + ' ' + path + '\n'; security_hole(port:port, extra:report); } else security_hole(port); break; } else if (ver[i] > fix[i]) break; }NASL family Windows NASL id TIGHTVNC_1_3_10.NASL description The installed version of TightVNC Viewer is earlier than 1.3.10. Such versions reportedly miscalculate a buffer size on the heap. If an attacker can trick a user on the remote host into connecting to a malicious server, he can probably exploit this issue using specially crafted messages to execute code on the affected host subject to the user last seen 2020-06-01 modified 2020-06-02 plugin id 35702 published 2009-02-18 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35702 title TightVNC Viewer < 1.3.10 Multiple Integer Overflows code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(35702); script_version("1.10"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id("CVE-2009-0388"); script_bugtraq_id(33568); script_name(english:"TightVNC Viewer < 1.3.10 Multiple Integer Overflows"); script_summary(english:"Checks version of vncviewer.exe"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host has an application that is affected by multiple integer overflows."); script_set_attribute(attribute:"description", value: "The installed version of TightVNC Viewer is earlier than 1.3.10. Such versions reportedly miscalculate a buffer size on the heap. If an attacker can trick a user on the remote host into connecting to a malicious server, he can probably exploit this issue using specially crafted messages to execute code on the affected host subject to the user's privileges."); script_set_attribute(attribute:"see_also", value:"http://www.coresecurity.com/content/vnc-integer-overflows"); script_set_attribute( attribute:"see_also", value:"https://www.securityfocus.com/archive/1/500632/30/0/threaded" ); script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?4987740c" ); script_set_attribute(attribute:"solution", value:"Upgrade to TightVNC 1.3.10 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(189); script_set_attribute(attribute:"plugin_publication_date", value:"2009/02/18"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("smb_enum_services.nasl", "smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include("smb_func.inc"); include("audit.inc"); include("smb_hotfixes.inc"); if (!get_kb_item("SMB/Registry/Enumerated")) exit(0); function display_dword (dword, nox) { local_var tmp; if (isnull(nox) || (nox == FALSE)) tmp = "0x"; else tmp = ""; return string (tmp, toupper( hexstr( raw_string( (dword >>> 24) & 0xFF, (dword >>> 16) & 0xFF, (dword >>> 8) & 0xFF, dword & 0xFF ) ) ) ); } # Detect where TightVNC's installed. # # nb: don't exit if a key isn't found -- we'll check another location later. list = get_kb_list("SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName"); if (isnull(list)) exit(0); key = NULL; foreach name (keys(list)) { prod = list[name]; if (prod && prod =~ "^TightVNC") { key = ereg_replace(pattern:"^SMB\/Registry\/HKLM\/(.+)\/DisplayName$", replace:"\1", string:name); key = str_replace(find:"/", replace:"\", string:key); break; } } # Connect to the appropriate share. name = kb_smb_name(); port = kb_smb_transport(); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init'); rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$"); if (rc != 1) { NetUseDel(); exit(0); } # Connect to remote registry. hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE); if (isnull(hklm)) { NetUseDel(); exit(0); } # Find the install path. path = NULL; if (!isnull(key)) { key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { item = RegQueryValue(handle:key_h, item:"InstallLocation"); if (!isnull(item)) { path = item[1]; path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:path); } RegCloseKey(handle:key_h); } } # - Look in alternate locations if we haven't found it yet. if (isnull(path)) { key = "SOFTWARE\Classes\VNC.ConnectionInfo\shell\open\command"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { item = RegQueryValue(handle:key_h, item:NULL); if (!isnull(item)) path = ereg_replace(pattern:'^"(.+)\\\\vncviewer\\.exe".*$', replace:"\1", string:item[1]); RegCloseKey(handle:key_h); } } RegCloseKey(handle:hklm); if (isnull(path)) { NetUseDel(); exit(0); } # Grab the version and description from the executable. share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path); exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\vncviewer.exe", string:path); NetUseDel(close:FALSE); rc = NetUseAdd(login:login, password:pass, domain:domain, share:share); if (rc != 1) { NetUseDel(); exit(0); } fh = CreateFile( file:exe, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING ); desc = NULL; ver = NULL; if (!isnull(fh)) { ver = GetFileVersion(handle:fh); ret = GetFileVersionEx(handle:fh); if (!isnull(ret)) children = ret['Children']; if (!isnull(children)) { varfileinfo = children['VarFileInfo']; if (!isnull(varfileinfo)) { translation = (get_word (blob:varfileinfo['Translation'], pos:0) << 16) + get_word (blob:varfileinfo['Translation'], pos:2); translation = tolower(display_dword(dword:translation, nox:TRUE)); } stringfileinfo = children['StringFileInfo']; if (!isnull(stringfileinfo) && !isnull(translation)) { data = stringfileinfo[translation]; if (!isnull(data)) desc = data['ProductName']; else { data = stringfileinfo[toupper(translation)]; if (!isnull(data)) desc = data['ProductName']; } } } CloseFile(handle:fh); } NetUseDel(); # Check the version number as long as it's TightVNC. if ( !isnull(ver) && !isnull(desc) && "TightVNC" >< desc ) { fix = split("1.3.10", sep:'.', keep:FALSE); for (i=0; i<max_index(fix); i++) fix[i] = int(fix[i]); for (i=0; i<max_index(ver); i++) if ((ver[i] < fix[i])) { if (report_verbosity) { version = string(ver[0], ".", ver[1], ".", ver[2]); report = string( "\n", "TightVNC Viewer ", version, " is installed under :\n", "\n", " ", path, "\n" ); security_hole(port:port, extra:report); } else security_hole(port); break; } else if (ver[i] > fix[i]) break; }
Packetstorm
| data source | https://packetstormsecurity.com/files/download/74789/tightvnc-overflow.txt |
| id | PACKETSTORM:74789 |
| last seen | 2016-12-05 |
| published | 2009-02-09 |
| reporter | desi |
| source | https://packetstormsecurity.com/files/74789/TightVNC-Integer-Overflow.html |
| title | TightVNC Integer Overflow |
Saint
| bid | 33568 |
| description | UltraVNC ClientConnection integer overflow |
| id | misc_vncview |
| title | ultravnc_clientconnection_int |
| type | client |
Seebug
bulletinFamily exploit description No description provided by source. id SSV:10585 last seen 2017-11-19 modified 2009-02-10 published 2009-02-10 reporter Root source https://www.seebug.org/vuldb/ssvid-10585 title TightVNC Authentication Failure Integer Overflow PoC bulletinFamily exploit description BUGTRAQ ID: 33568 CVE(CAN) ID: CVE-2009-0388 UltraVNC和TightVNC都是开源的远程终端模拟软件。 UltraVNC和TightVNC客户端存在多个整数溢出漏洞,有漏洞的函数为: . 'ClientConnection::CheckBufferSize' . 'ClientConnection::CheckFileZipBufferSize' UltraVNC的1.0.2及之前版本使用有漏洞的函数: . 'ClientConnection::ReadServerCutText() : 3859' . 'ClientConnection::Authenticate() : 1701' TightVNC的1.3.9及之前版本使用有漏洞的函数: . 'ClientConnection::ReadServerCutText() : 2951' . 'ClientConnection::ReadFailureReason() : 3066' 由于代码共享,其他VNC客户端也可能受影响。整数溢出情况如下: /----------- unsigned int len; /* note the *unsigned int* */ // read len from the net len = network.read_placeholder(); // check the size to ensure the network related read buffer is of the bigger as need CheckBufferSize( len ); // or CheckZipBufferSize(len); // use network related red buffer // ... - -----------/ 这里CheckBufferSize如下: /----------- (ClientConnection.cpp) 4185: // Makes sure netbuf is at least as big as the specified size. 4186: // Note that netbuf itself may change as a result of this call. 4187: // Throws an exception on failure. 4188: void ClientConnection::CheckBufferSize(int bufsize) 4189: { 4190: if (m_netbufsize > bufsize) return; ... ... - -----------/ CheckZipBufferSize如下: /----------- (ClientConnection.cpp) 4238: void ClientConnection::CheckFileZipBufferSize(int bufsize) 4239: { 4240: unsigned char *newbuf; 4241: 4242: if (m_filezipbufsize > bufsize) return; ... ... - -----------/ CheckFileZipBufferSize()和CheckFileChunkBufferSize()等函数也存在类似的问题。bufsize(有符整型)数据类型参数和m_netbufsize、m_filezipbufsize(无符长型)缓冲区触发了整数溢出。 TightVNC TightVNC 1.3.9 UltraVNC UltraVNC 1.0.5 UltraVNC UltraVNC 1.0.2 厂商补丁: UltraVNC -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://support1.uvnc.com/download/vncviewer_1054_w32.zip target=_blank rel=external nofollow>http://support1.uvnc.com/download/vncviewer_1054_w32.zip</a> <a href=http://support1.uvnc.com/download/vncviewer_1054_X64.zip target=_blank rel=external nofollow>http://support1.uvnc.com/download/vncviewer_1054_X64.zip</a> id SSV:4712 last seen 2017-11-19 modified 2009-02-04 published 2009-02-04 reporter Root source https://www.seebug.org/vuldb/ssvid-4712 title UltraVNC和TightVNC客户端整数溢出漏洞
References
- http://forum.ultravnc.info/viewtopic.php?t=14654
- http://secunia.com/advisories/33807
- http://vnc-tight.svn.sourceforge.net/viewvc/vnc-tight?view=rev&revision=3564
- http://www.coresecurity.com/content/vnc-integer-overflows
- http://www.securityfocus.com/archive/1/500632/100/0/threaded
- http://www.securityfocus.com/bid/33568
- http://www.vupen.com/english/advisories/2009/0321
- http://www.vupen.com/english/advisories/2009/0322
- https://www.exploit-db.com/exploits/7990
- https://www.exploit-db.com/exploits/8024