SRT2004-01-17-0425 - Ultr@VNC local SYSTEM access.

[KF <dotslash@xxxxxxxxxxx>]

Yeah I know this one is short... theres a couple more on the way with 
more in depth details.

-KF

Secure Network Operations, Inc.             http://www.secnetops.com/research
Strategic Reconnaissance Team               research[at]secnetops[.]com
Team Lead Contact                           kf[at]secnetops[.]com
Spam Contact                                `rm -rf /`@snosoft.com

Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 

To learn more about our company, products and services or to request a 
demo of ANVIL FCS please visit our site at http://www.secnetops.com, or 
call us at: 978-263-3829


Quick Summary:
************************************************************************
Advisory Number         : SRT2004-01-17-0425
Product                 : Ultr@VNC
Version                 : 1.0.0 RC11 (tested)
Vendor                  : http://ultravnc.sourceforge.net/
Class                   : Local
Criticality             : High (to Ultr@VNC users) 
Operating System(s)     : Win32 


Notice
************************************************************************
1-2 day Early Warning List:
---------------------------
Secure Network Operations, inc. will very shortly have its own advisory 
notification mailing list. This list will notify you of advisories 1-2 
days in advance of public release to other mailing lists. To subscribe 
please visit http://advisories.secnetops.com in the immediate future. 

30-60 day Early Warning List:
-----------------------------
Our early warning service will notify you of new vulnerabilities 30-60 
days in advance of public release. This service has been created to protect 
companies by allowing them to repair security vulnerabilities before they 
become public knowledge. To purchase a one year subscription to this 
service please contact us at 978-263-3767.

Alert
***********************************************************************
Our advisories will contain full details excluding a working Proof of 
Concept. Our web page will contain our working proof of concept for the 
advisory if it exists. Yes folks this is a policy change for us. We 
will exercise our own disgression in regards to delay of exploit release
vs advisory release. List subscribers will have advanced access to working
proof of concept code depending on the severity and list subscription type. 

Basic Explanation
************************************************************************
High Level Description  : Ultr@VNC provides local SYSTEM access. 

What to do              : remove faulty ShellExecute() statements.

Basic Technical Details
************************************************************************
Proof Of Concept Status : SNO has Proof of Concept. 

Low Level Description   : Ultr@VNC is a client/server software that allows 
you to remotely control a computer over any TCP/IP connection as if you 
were in front of it. It is Free and distributed under the terms of the GNU 
General Public License. Ultr@VNC supports Win9x/Me/NT4/Win2000/XP.

[kfinisterre@CloneRiot Ultravnc]$ grep ShellExecute . -rn
./src/ultravnc/winvnc/winvnc/vncmenu.cpp:423: ShellExecute(GetDesktopWindow(), 
"open", "http://ultravnc.sourceforge.net/help.htm";, "", 0, SW_SHOWNORMAL);
./src/ultravnc/winvnc/winvnc/vncmenu.cpp:426: ShellExecute(GetDesktopWindow(), 
"open", "http://ultravnc.sourceforge.net/index.html";, "", 0, SW_SHOWNORMAL);
Binary file ./winvnc.exe matches
Binary file ./french/winvnc.exe matches 

In order to exploit this issue you simply need to right click on the tray
icon for Ultr@VNC, select either "Online Help" or "Home Page". You will 
find that IEXPLORE.EXE is running as SYSTEM. You can simply type in the 
address bar "C:\WINNT\SYSTEM32" and press enter. Locate cmd.exe and right 
click on it and selece Open. At this point in time you will have a command
prompt running as SYSTEM. 

An example of exploitation can be viewed (without registration) at:
http://www.secnetops.biz/images/SRT2004-01-17-0425.jpg

Vendor Status           : Vendor is working on a fix for this issue. A vendor
supplied patch should be supplied in the next release. 

Work Around             : Comment out the ShellExecute() statements on both 
line 423 and 426 of vncmenu.cpp. Recompile and reinstall the app. 

Bugtraq URL             : To be assigned. 

Disclaimer
----------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Release of exploit code is done at our 
own disgression. 
----------------------------------------------------------------------
All content of this advisory is property of Secure Network Operations.
----------------------------------------------------------------------
Secure Network Operations, Inc. || http://www.secnetops.com
"Embracing the future of technology, protecting you."