CVE-2001-0168
published 2001-05-03CVE-2001-0168: Buffer overflow in AT&T WinVNC (Virtual Network Computing) server 3.3.3r7 and earlier allows remote attackers to execute arbitrary commands via a long HTTP GET…
PriorityP353critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
70.73%
99.3th percentile
Buffer overflow in AT&T WinVNC (Virtual Network Computing) server 3.3.3r7 and earlier allows remote attackers to execute arbitrary commands via a long HTTP GET request when the DebugLevel registry key is greater than 0.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| att | winvnc | <= 3.3.3r7 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
BadChars: \x00\x09\x0a\x0b\x0c\x0d\x20\x0b
- →Exploit targets TCP port 5800 (WinVNC HTTP web server interface) with an overly long HTTP GET request; monitor for abnormally large GET requests to port 5800. ↗
- →The exploit payload is prepended with a '/' character and sent as the URI of the GET request; a GET request to port 5800 with a URI of length approaching or exceeding 979 bytes is highly suspicious. ↗
- →Vulnerability is only triggerable when the DebugLevel registry key is greater than 0 (non-default); check for this registry key being set on WinVNC hosts as an exposure indicator. ↗
- →Return addresses used in exploitation target msvcrt.dll (NT4), comctl32.dll (Win2000), and ws2_32.dll (WinXP); stack traces or crash dumps referencing these return addresses during WinVNC crashes indicate exploitation attempts. ↗
- ·The vulnerability is only exploitable when the WinVNC DebugLevel registry key is set to a value greater than 0, which is a non-default configuration. Systems with default settings are not vulnerable. ↗
- ·The Metasploit module notes that this exploit does not work well with VNC payloads, limiting post-exploitation options via this vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WinVNC Web Server 3.3.3r7 - GET Overflow (Metasploit)
exploitdb·2009-12-06
CVE-2001-0168 WinVNC Web Server 3.3.3r7 - GET Overflow (Metasploit)
WinVNC Web Server 3.3.3r7 - GET Overflow (Metasploit)
---
##
# $Id: winvnc_http_get.rb 7724 2009-12-06 05:50:37Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'WinVNC Web Server %q{
This module exploits a buffer overflow in the AT&T WinVNC version
'patrick',
'License' => MSF_LICENSE,
'Version' => '$Revision: 7724 $',
'References' =>
[
[ 'BID', '2306' ],
[ 'OSVDB', '6280' ],
[ 'CVE', '2001-0168' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 979,
'BadChars' => "\x00\x09\x0a\x0
Metasploit
WinVNC Web Server GET Overflow
metasploit
WinVNC Web Server GET Overflow
WinVNC Web Server GET Overflow
This module exploits a buffer overflow in the AT&T WinVNC version <= v3.3.3r7 web server. When debugging mode with logging is enabled (non-default), an overly long GET request can overwrite the stack. This exploit does not work well with VNC payloads!
No writeups or analysis indexed.
http://marc.info/?l=vnc-list&m=98080763005455&w=2http://www.kb.cert.org/vuls/id/598581http://www.securityfocus.com/bid/2306https://exchange.xforce.ibmcloud.com/vulnerabilities/6026http://marc.info/?l=vnc-list&m=98080763005455&w=2http://www.kb.cert.org/vuls/id/598581http://www.securityfocus.com/bid/2306https://exchange.xforce.ibmcloud.com/vulnerabilities/6026
2001-05-03
Published