cbcvebase.
CVE-2001-0167
published 2001-05-03

CVE-2001-0167: Buffer overflow in AT&T WinVNC (Virtual Network Computing) client 3.3.3r7 and earlier allows remote attackers to execute arbitrary commands via a long…

PriorityP344high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
50.81%
98.8th percentile
Buffer overflow in AT&T WinVNC (Virtual Network Computing) client 3.3.3r7 and earlier allows remote attackers to execute arbitrary commands via a long rfbConnFailed packet with a long reason string.

Affected

1 ranges
VendorProductVersion rangeFixed in
attwinvnc<= 3.3.3r7

Detection & IOCsextracted from sources · hover to see the quote

filenamevncviewer.exe
port5900
otherRFB 003.003\n
bytes
\x00\x00\x00\x00\x00\x00\x04\x06
  • Detect exploit attempts by monitoring for inbound connections on TCP/5900 (VNC) that send an rfbConnFailed packet with an oversized reason string (~993+ bytes following the 8-byte header \x00\x00\x00\x00\x00\x00\x04\x06).
  • Flag VNC handshake sequences where the server sends 'RFB 003.003' and immediately follows with a large rfbConnFailed payload exceeding normal reason-string lengths, indicative of a rogue/malicious VNC server targeting a connecting client.
  • The exploit payload bad-character set can help tune IDS signatures: bytes \x00\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40 will NOT appear in the shellcode portion of the malicious packet.
  • Monitor for vncviewer.exe spawning unexpected child processes or threads, as the exploit uses EXITFUNC=thread to avoid crashing the viewer process after shellcode execution.
  • ·The Metasploit module targets specific Windows OS/SP combinations with hardcoded return addresses; the exploit will fail or crash the client on non-targeted platforms.
  • ·The exploit operates as a rogue server (listener), not a client-side scanner — the attacker must wait for a VNC client to connect to their malicious server on the configured SRVPORT (default 5900).
  • ·Payload space is constrained to 500 bytes with MaxNops=0 and a stack adjustment of -3500; custom payloads exceeding this space will not function correctly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.