CVE-2006-1652
published 2006-04-06CVE-2006-1652: Multiple buffer overflows in (a) UltraVNC (aka Ultr@VNC) 1.0.1 and earlier and (b) tabbed_viewer 1.29 (1) allow user-assisted remote attackers to execute…
PriorityP261critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
67.40%
99.2th percentile
Multiple buffer overflows in (a) UltraVNC (aka Ultr@VNC) 1.0.1 and earlier and (b) tabbed_viewer 1.29 (1) allow user-assisted remote attackers to execute arbitrary code via a malicious server that sends a long string to a client that connects on TCP port 5900, which triggers an overflow in Log::ReallyPrint; and (2) allow remote attackers to cause a denial of service (server crash) via a long HTTP GET request to TCP port 5800, which triggers an overflow in VNCLog::ReallyPrint.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ultravnc | tabbed_viewer | — | — |
| ultravnc | vnc_viewer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xE0\x3A\xB4\x76
bytes↗
\xE9\x1B\xFC\xFF\xFF
bytes↗
\x00\x00\x00\x00\x00\x00\x04\x06
bytes↗
\x7c\x2e\xc6\x8b
bytes↗
\x77\xdc\x15\xc0
bytes↗
\x76\xaa\x67\x9b
- →Detect a rogue VNC server on TCP 5900 sending an oversized authentication error string. The malicious server sends the VNC handshake 'RFB 003.006\n', then a packet beginning with 8 null/length bytes followed by 'Requires Ultr@VNC Authentication\n' and a large buffer (>1024 bytes) to trigger Log::ReallyPrint overflow in the connecting client. ↗
- →Detect an oversized HTTP GET request to TCP port 5800 (UltraVNC HTTP viewer port) that triggers a buffer overflow in VNCLog::ReallyPrint, causing a server crash (DoS). ↗
- →The exploit payload on TCP/5900 contains the 8-byte header \x00\x00\x00\x00\x00\x00\x04\x06 immediately followed by the string 'Requires Ultr@VNC Authentication\n'. Network signatures should match this byte sequence at the start of the server-to-client data after the RFB handshake. ↗
- →The Metasploit module acts as a rogue VNC server (SRVPORT 5900) and appends the literal string 'PASSWORD' followed by a relative JMP after the return address in the overflow buffer. Presence of 'PASSWORD' at offset ~988 bytes into the server reply is a strong exploit indicator. ↗
- →The Python PoC exploit uses winmm.dll JMP ESP gadget at 0x76B43AE0 (little-endian: \xE0\x3A\xB4\x76) as the return address for Windows XP SP2. Presence of this 4-byte sequence at the RET offset in a VNC server reply indicates active exploitation. ↗
- ·The Python PoC exploit (27568) is hardcoded for Windows XP SP2 using a winmm.dll JMP ESP gadget. The Metasploit module provides separate return addresses for Windows 2000 SP4, XP SP2, and 2003 SP1 — detection signatures based on RET addresses must account for all three variants. ↗
- ·The overflow is triggered client-side (victim connects to attacker-controlled server on port 5900), not server-side. Standard perimeter rules blocking inbound 5900 will NOT protect users connecting outbound to malicious VNC servers. ↗
- ·The payload space in the Metasploit module is limited to 500 bytes with no null bytes allowed, and requires a stack adjustment of -3500. Custom shellcode must respect these constraints or the exploit will fail. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
UltraVNC 1.0.1 - Client Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2006-1652 UltraVNC 1.0.1 - Client Buffer Overflow (Metasploit)
UltraVNC 1.0.1 - Client Buffer Overflow (Metasploit)
---
##
# $Id: ultravnc_client.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'UltraVNC 1.0.1 Client Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in UltraVNC Win32
Viewer 1.0.1 Release.
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2006-1652' ],
[ 'OSVDB', '24456' ],
[ 'BID', '17378' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 500,
'BadChars'
Exploit-DB
UltraVNC 1.0.1 - Multiple Remote Error Logging Buffer Overflow Vulnerabilities (1)
exploitdb·2006-04-04
CVE-2006-1652 UltraVNC 1.0.1 - Multiple Remote Error Logging Buffer Overflow Vulnerabilities (1)
UltraVNC 1.0.1 - Multiple Remote Error Logging Buffer Overflow Vulnerabilities (1)
---
source: https://www.securityfocus.com/bid/17378/info
UltraVNC is susceptible to multiple error-logging remote buffer-overflow vulnerabilities. These issues are due to the application's failure to properly bounds-check user-supplied input before copying it to insufficiently sized memory buffers.
A successful attack may allow remote attackers to execute arbitrary code on a vulnerable computer to gain unauthorized access in the context of the application.
#!/usr/bin/python
#Ultr@VNC 1.0.1 Client Buffer Overflow - Luigi Auriemm
#POC by Paul Haas at Redspin.com
#Tested on WinXP SP 2: Launches Calc
import socket, struct
HOST = '' # Localhost
PORT = 5900 # VNC Server
BOFSZ = 1024 # Buffer Size
HEAD = "RF
Exploit-DB
UltraVNC 1.0.1 - Multiple Remote Error Logging Buffer Overflow Vulnerabilities (2)
exploitdb·2006-04-04
CVE-2006-1652 UltraVNC 1.0.1 - Multiple Remote Error Logging Buffer Overflow Vulnerabilities (2)
UltraVNC 1.0.1 - Multiple Remote Error Logging Buffer Overflow Vulnerabilities (2)
---
source: https://www.securityfocus.com/bid/17378/info
UltraVNC is susceptible to multiple error-logging remote buffer-overflow vulnerabilities. These issues are due to the application's failure to properly bounds-check user-supplied input before copying it to insufficiently sized memory buffers.
A successful attack may allow remote attackers to execute arbitrary code on a vulnerable computer to gain unauthorized access in the context of the application.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/27569.zip
Metasploit
UltraVNC 1.0.1 Client Buffer Overflow
metasploit
UltraVNC 1.0.1 Client Buffer Overflow
UltraVNC 1.0.1 Client Buffer Overflow
This module exploits a buffer overflow in UltraVNC Win32 Viewer 1.0.1 Release.
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2006-April/044901.htmlhttp://secunia.com/advisories/19513http://securityreason.com/securityalert/674http://www.securityfocus.com/archive/1/429930/100/0/threadedhttp://www.securityfocus.com/archive/1/430287/100/0/threadedhttp://www.securityfocus.com/archive/1/430711/100/0/threadedhttp://www.securityfocus.com/bid/17378http://www.vupen.com/english/advisories/2006/1240https://exchange.xforce.ibmcloud.com/vulnerabilities/25648https://exchange.xforce.ibmcloud.com/vulnerabilities/25650https://www.exploit-db.com/exploits/1642https://www.exploit-db.com/exploits/1643http://lists.grok.org.uk/pipermail/full-disclosure/2006-April/044901.htmlhttp://secunia.com/advisories/19513http://securityreason.com/securityalert/674http://www.securityfocus.com/archive/1/429930/100/0/threadedhttp://www.securityfocus.com/archive/1/430287/100/0/threadedhttp://www.securityfocus.com/archive/1/430711/100/0/threadedhttp://www.securityfocus.com/bid/17378http://www.vupen.com/english/advisories/2006/1240https://exchange.xforce.ibmcloud.com/vulnerabilities/25648https://exchange.xforce.ibmcloud.com/vulnerabilities/25650https://www.exploit-db.com/exploits/1642https://www.exploit-db.com/exploits/1643
2006-04-06
Published