[Full-Disclosure] SRT2004-01-17-0425 - Ultr@VNC local SYSTEM access.

Type securityvulns
Reporter Securityvulns
Modified 2004-01-19T00:00:00


Secure Network Operations, Inc. http://www.secnetops.com/research Strategic Reconnaissance Team research[at]secnetops[.]com Team Lead Contact kf[at]secnetops[.]com Spam Contact `rm -rf /`@snosoft.com

Our Mission:

Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer.

To learn more about our company, products and services or to request a demo of ANVIL FCS please visit our site at http://www.secnetops.com, or call us at: 978-263-3829

Quick Summary:

Advisory Number : SRT2004-01-17-0425 Product : Ultr@VNC Version : 1.0.0 RC11 (tested) Vendor : http://ultravnc.sourceforge.net/ Class : Local Criticality : High (to Ultr@VNC users) Operating System(s) : Win32


1-2 day Early Warning List:

Secure Network Operations, inc. will very shortly have its own advisory notification mailing list. This list will notify you of advisories 1-2 days in advance of public release to other mailing lists. To subscribe please visit http://advisories.secnetops.com in the immediate future.

30-60 day Early Warning List:

Our early warning service will notify you of new vulnerabilities 30-60 days in advance of public release. This service has been created to protect companies by allowing them to repair security vulnerabilities before they become public knowledge. To purchase a one year subscription to this service please contact us at 978-263-3767.


Our advisories will contain full details excluding a working Proof of Concept. Our web page will contain our working proof of concept for the advisory if it exists. Yes folks this is a policy change for us. We will exercise our own disgression in regards to delay of exploit release vs advisory release. List subscribers will have advanced access to working proof of concept code depending on the severity and list subscription type.

Basic Explanation

High Level Description : Ultr@VNC provides local SYSTEM access.

What to do : remove faulty ShellExecute() statements.

Basic Technical Details

Proof Of Concept Status : SNO has Proof of Concept.

Low Level Description : Ultr@VNC is a client/server software that allows you to remotely control a computer over any TCP/IP connection as if you were in front of it. It is Free and distributed under the terms of the GNU General Public License. Ultr@VNC supports Win9x/Me/NT4/Win2000/XP.

[kfinisterre@CloneRiot Ultravnc]$ grep ShellExecute . -rn ./src/ultravnc/winvnc/winvnc/vncmenu.cpp:423: ShellExecute(GetDesktopWindow(), "open", "http://ultravnc.sourceforge.net/help.htm", "", 0, SW_SHOWNORMAL); ./src/ultravnc/winvnc/winvnc/vncmenu.cpp:426: ShellExecute(GetDesktopWindow(), "open", "http://ultravnc.sourceforge.net/index.html", "", 0, SW_SHOWNORMAL); Binary file ./winvnc.exe matches Binary file ./french/winvnc.exe matches

In order to exploit this issue you simply need to right click on the tray icon for Ultr@VNC, select either "Online Help" or "Home Page". You will find that IEXPLORE.EXE is running as SYSTEM. You can simply type in the address bar "C:\WINNT\SYSTEM32" and press enter. Locate cmd.exe and right click on it and selece Open. At this point in time you will have a command prompt running as SYSTEM.

An example of exploitation can be viewed (without registration) at: http://www.secnetops.biz/images/SRT2004-01-17-0425.jpg

Vendor Status : Vendor is working on a fix for this issue. A vendor supplied patch should be supplied in the next release.

Work Around : Comment out the ShellExecute() statements on both line 423 and 426 of vncmenu.cpp. Recompile and reinstall the app.

Bugtraq URL : To be assigned.


This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Release of exploit code is done at our own disgression.

All content of this advisory is property of Secure Network Operations.

Secure Network Operations, Inc. || http://www.secnetops.com "Embracing the future of technology, protecting you."