UltraVNC repeater versions prior to ultravnc_repeater_1300 do not restrict usage by IP address by default and cannot restrict by ports, which may be leveraged to induce connections to arbitrary hosts using any port.
CWE-16: Configuration - CVE-2016-5673
UltraVNC repeater acts as a proxy to route remote desktop VNC connections. IP addresses are not restricted in default configurations, and ports cannot be selectively restricted. Consequently, in a default installation, a repeater can be caused to initiate connections to arbitrary hosts using any port. To initiate a connection to a common web service, for instance, an attacker may request a connection to <IP>::<80><padding>, where padding consists of null bytes and the request length is 250 bytes.
A remote, unauthenticated attacker may induce a default-configured repeater to initiate connections to arbitrary hosts and services.
Update repeater configuration
Thanks to Yonathan Klijnsma and Dan Tentler for reporting this vulnerability.
This document was written by Joel Land.
|Date First Published:||2016-08-08|
|Date Last Updated:||2016-08-08 14:01 UTC|