CVE-2020-37133
BaseFortify
Publication date: 2026-02-05
Last updated on: 2026-02-09
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uvnc | ultravnc | to 1.2.4.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2020-37133 is a denial of service vulnerability in UltraVNC Launcher version 1.2.4.0. It occurs due to a stack-based buffer overflow in the Repeater Host configuration field. An attacker can cause the application to crash by inputting an overly long string of 300 characters into this field.
This vulnerability arises from improper input handling in the Repeater Host property, which leads to application instability and crash when a specially crafted string is pasted into it.
How can this vulnerability impact me? :
This vulnerability can cause the UltraVNC Launcher application to crash, resulting in a denial of service condition. This means legitimate users may be unable to use the application while it is crashed.
Since the attack requires local access and user interaction, an attacker with access to the system can disrupt the availability of the UltraVNC Launcher by exploiting this flaw.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to reproduce the crash condition on the UltraVNC Launcher application version 1.2.4.0. Specifically, by inputting a string of 300 characters into the Repeater Host configuration field, the application will crash if vulnerable.'}, {'type': 'paragraph', 'content': 'A practical detection method involves running a provided Python script that generates the malicious input string, then pasting this string into the Repeater Host field in the UltraVNC Launcher properties to observe if the application crashes.'}, {'type': 'list_item', 'content': 'Run the Python script `UltraVNC_1.2.40-Launcher_RepeaterHost.py` to generate the test input.'}, {'type': 'list_item', 'content': 'Open the generated text file `UltraVNC_1.2.40-Launcher_RepeaterHost.txt` and copy its contents.'}, {'type': 'list_item', 'content': 'Launch UltraVNC Launcher application.'}, {'type': 'list_item', 'content': 'Navigate to the "Properties" section.'}, {'type': 'list_item', 'content': 'Paste the copied string into the "Repeater host" field.'}, {'type': 'list_item', 'content': 'Click "OK" and observe if the application crashes, indicating the presence of the vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the input of overly long strings (300 characters or more) into the Repeater Host configuration field of UltraVNC Launcher version 1.2.4.0.
Since the vulnerability requires local user interaction, restricting access to the UltraVNC Launcher application and limiting user permissions can reduce the risk of exploitation.
Additionally, monitoring for updates or patches from the vendor and applying them once available is recommended to fully remediate the vulnerability.