cbcvebase.
CVE-2006-1652
published 2006-04-06

CVE-2006-1652: Multiple buffer overflows in (a) UltraVNC (aka Ultr@VNC) 1.0.1 and earlier and (b) tabbed_viewer 1.29 (1) allow user-assisted remote attackers to execute…

PriorityP261critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
67.40%
99.2th percentile
Multiple buffer overflows in (a) UltraVNC (aka Ultr@VNC) 1.0.1 and earlier and (b) tabbed_viewer 1.29 (1) allow user-assisted remote attackers to execute arbitrary code via a malicious server that sends a long string to a client that connects on TCP port 5900, which triggers an overflow in Log::ReallyPrint; and (2) allow remote attackers to cause a denial of service (server crash) via a long HTTP GET request to TCP port 5800, which triggers an overflow in VNCLog::ReallyPrint.

Affected

2 ranges
VendorProductVersion rangeFixed in
ultravnctabbed_viewer
ultravncvnc_viewer

Detection & IOCsextracted from sources · hover to see the quote

port5900/tcp
port5800/tcp
commandRFB 003.006\n
otherRequires Ultr@VNC Authentication\n
bytes
\xE0\x3A\xB4\x76
bytes
\xE9\x1B\xFC\xFF\xFF
bytes
\x00\x00\x00\x00\x00\x00\x04\x06
bytes
\x7c\x2e\xc6\x8b
bytes
\x77\xdc\x15\xc0
bytes
\x76\xaa\x67\x9b
  • Detect a rogue VNC server on TCP 5900 sending an oversized authentication error string. The malicious server sends the VNC handshake 'RFB 003.006\n', then a packet beginning with 8 null/length bytes followed by 'Requires Ultr@VNC Authentication\n' and a large buffer (>1024 bytes) to trigger Log::ReallyPrint overflow in the connecting client.
  • Detect an oversized HTTP GET request to TCP port 5800 (UltraVNC HTTP viewer port) that triggers a buffer overflow in VNCLog::ReallyPrint, causing a server crash (DoS).
  • The exploit payload on TCP/5900 contains the 8-byte header \x00\x00\x00\x00\x00\x00\x04\x06 immediately followed by the string 'Requires Ultr@VNC Authentication\n'. Network signatures should match this byte sequence at the start of the server-to-client data after the RFB handshake.
  • The Metasploit module acts as a rogue VNC server (SRVPORT 5900) and appends the literal string 'PASSWORD' followed by a relative JMP after the return address in the overflow buffer. Presence of 'PASSWORD' at offset ~988 bytes into the server reply is a strong exploit indicator.
  • The Python PoC exploit uses winmm.dll JMP ESP gadget at 0x76B43AE0 (little-endian: \xE0\x3A\xB4\x76) as the return address for Windows XP SP2. Presence of this 4-byte sequence at the RET offset in a VNC server reply indicates active exploitation.
  • ·The Python PoC exploit (27568) is hardcoded for Windows XP SP2 using a winmm.dll JMP ESP gadget. The Metasploit module provides separate return addresses for Windows 2000 SP4, XP SP2, and 2003 SP1 — detection signatures based on RET addresses must account for all three variants.
  • ·The overflow is triggered client-side (victim connects to attacker-controlled server on port 5900), not server-side. Standard perimeter rules blocking inbound 5900 will NOT protect users connecting outbound to malicious VNC servers.
  • ·The payload space in the Metasploit module is limited to 500 bytes with no null bytes allowed, and requires a stack adjustment of -3500. Custom shellcode must respect these constraints or the exploit will fail.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.