cbcvebase.
CVE-2001-0168
published 2001-05-03

CVE-2001-0168: Buffer overflow in AT&T WinVNC (Virtual Network Computing) server 3.3.3r7 and earlier allows remote attackers to execute arbitrary commands via a long HTTP GET…

PriorityP353critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
70.73%
99.3th percentile
Buffer overflow in AT&T WinVNC (Virtual Network Computing) server 3.3.3r7 and earlier allows remote attackers to execute arbitrary commands via a long HTTP GET request when the DebugLevel registry key is greater than 0.

Affected

1 ranges
VendorProductVersion rangeFixed in
attwinvnc<= 3.3.3r7

Detection & IOCsextracted from sources · hover to see the quote

port5800
other0x779f4e39
other0x77bba3af
other0x71ab7bfb
commandGET /<payload><ret_addr>
bytes
BadChars: \x00\x09\x0a\x0b\x0c\x0d\x20\x0b
  • Exploit targets TCP port 5800 (WinVNC HTTP web server interface) with an overly long HTTP GET request; monitor for abnormally large GET requests to port 5800.
  • The exploit payload is prepended with a '/' character and sent as the URI of the GET request; a GET request to port 5800 with a URI of length approaching or exceeding 979 bytes is highly suspicious.
  • Vulnerability is only triggerable when the DebugLevel registry key is greater than 0 (non-default); check for this registry key being set on WinVNC hosts as an exposure indicator.
  • Return addresses used in exploitation target msvcrt.dll (NT4), comctl32.dll (Win2000), and ws2_32.dll (WinXP); stack traces or crash dumps referencing these return addresses during WinVNC crashes indicate exploitation attempts.
  • ·The vulnerability is only exploitable when the WinVNC DebugLevel registry key is set to a value greater than 0, which is a non-default configuration. Systems with default settings are not vulnerable.
  • ·The Metasploit module notes that this exploit does not work well with VNC payloads, limiting post-exploitation options via this vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.