CVE-2006-1652

UltraVNC and tabbed_viewer - Buffer Overflow via Long String on TCP Port 5900

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2006-1652. PoCs published by Metasploit, Luigi Auriemma, including Metasploit module exploits/windows/vnc/ultravnc_client.

AI-analyzed exploit summary This exploit targets a buffer overflow in UltraVNC Win32 Viewer 1.0.1 by sending a maliciously crafted RFB protocol response to trigger remote code execution. It includes payload handling and specific return addresses for different Windows versions.

Description

Multiple buffer overflows in (a) UltraVNC (aka Ultr@VNC) 1.0.1 and earlier and (b) tabbed_viewer 1.29 (1) allow user-assisted remote attackers to execute arbitrary code via a malicious server that sends a long string to a client that connects on TCP port 5900, which triggers an overflow in Log::ReallyPrint; and (2) allow remote attackers to cause a denial of service (server crash) via a long HTTP GET request to TCP port 5800, which triggers an overflow in VNCLog::ReallyPrint.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16490

This exploit targets a buffer overflow in UltraVNC Win32 Viewer 1.0.1 by sending a maliciously crafted RFB protocol response to trigger remote code execution. It includes payload handling and specific return addresses for different Windows versions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: UltraVNC Win32 Viewer 1.0.1
No auth needed
Prerequisites: Network access to the target's VNC port (5900) · Target running UltraVNC Win32 Viewer 1.0.1
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Luigi Auriemma · cdoswindows
https://www.exploit-db.com/exploits/1643

This exploit targets a buffer overflow vulnerability in Ultr@VNC <= 1.0.1 client by sending a maliciously crafted RFB protocol response with an oversized error message. It binds to port 5900 and waits for client connections to trigger the overflow.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Ultr@VNC <= 1.0.1
No auth needed
Prerequisites: Network access to the target · Target must initiate a connection to the malicious server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Luigi Auriemma · cdoswindows
https://www.exploit-db.com/exploits/1642

This exploit targets a buffer overflow vulnerability in Ultr@VNC <= 1.0.1 via a crafted HTTP request. It sends a long string to trigger the overflow, potentially causing a denial-of-service (DoS) condition.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Ultr@VNC <= 1.0.1
No auth needed
Prerequisites: Network access to the target VNC server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Luigi Auriemma · textremotewindows
https://www.exploit-db.com/exploits/27569

The provided text describes a remote buffer overflow vulnerability in UltraVNC due to improper bounds checking in error-logging functionality. Successful exploitation could lead to arbitrary code execution in the context of the application.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: UltraVNC (version not specified)
No auth needed
Prerequisites: Network access to the vulnerable UltraVNC service
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Luigi Auriemma · pythonremotewindows
https://www.exploit-db.com/exploits/27568

This exploit targets a buffer overflow vulnerability in UltraVNC 1.0.1 by sending a maliciously crafted packet to the VNC server, leading to remote code execution (calc.exe). The PoC uses a standard buffer overflow technique with NOP sleds, a JMP instruction, and shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: UltraVNC 1.0.1
No auth needed
Prerequisites: Network access to the target VNC server on port 5900 · Vulnerable UltraVNC 1.0.1 installation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/vnc/ultravnc_client.rb

This Metasploit module exploits a buffer overflow in UltraVNC Win32 Viewer 1.0.1 by sending a maliciously crafted RFB protocol response to trigger remote code execution. The exploit leverages a stack-based overflow with a controlled return address to execute arbitrary payloads.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: UltraVNC Win32 Viewer 1.0.1
No auth needed
Prerequisites: Network access to the target's VNC port (5900) · Target running UltraVNC 1.0.1
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (12)

Core 12
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/1642
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/25648
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/1643
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/25650
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/19513
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/430711/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/430287/100/0/threaded
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/1240
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/674
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/429930/100/0/threaded
Mailing List mailing-list x_refsource_fulldisc
http://lists.grok.org.uk/pipermail/full-disclosure/2006-April/044901.html
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/17378

Scores

EPSS 0.6740
EPSS Percentile 99.2%

Details

CWE
CWE-119
Status published
Products (2)
ultravnc/tabbed_viewer 1.29
ultravnc/vnc_viewer 1.0.1
Published Apr 06, 2006
Tracked Since Feb 18, 2026