Broadband Tech > Security > Security > VNC Flaw

VNC Flaw

In our previous post I discussed a flaw in VNC that we discovered by accident. It essentially allows you to access a host running Real VNC 4 without knowing the password.

I have put together a proof of concept web application. If you visit this page from the server or machine running VNC, it will attempt to connect back and display a snapshot. If it says your safe - then hey your safe. If not, you got to wonder how many million people have this installed and they have a wide open security flaw.

Now it is still possible we are wrong, since every machine we have had the chance to test has been touched by our software. Try it and see if you are vulnerable - and remember you need to browse to the testing page *from* the machine running VNC, and this machine and VNC port has to be accessible from the Internet.

Is this the UltraVNC authentication flaw (can't get to the URL you posted to see)? If so SANS posted about it a couple of days ago. I say that only so that folks can find info elsewhere, not to diss your post.

quote:

---

06.18.13 CVE: Not Available
Platform: Third Party Windows Apps
Title: UltraVNC Weak Challenge-Response Authentication
Description: UltraVNC is susceptible to a weak challenge-response authentication vulnerability. This issue is due to the use of insecure encryption during the authentication process of UltraVNC when configured to utilize the Microsoft Logon authentication mechanism.
UltraVNC version 1.0.1 is vulnerable.
Ref: »www.securityfocus.com/bid/17824

---

Apparently only Ral VNC version 4.1.1 is effected. Version 4.0 is apparently immune.

reply to dinferno
Since the "proof of concept" site is off-line, I could not test the alleged vulnerability, and the original articles do not provide any meaningful hints as to the nature of the vulnerability.

I have to wonder if Mr Wiseman has simply rediscovered the well known eight character password limitation/vulnerablilty in RealVNC Free Edition as documented in the RealVNC FAQ Why can I access my VNC Server even though I'm entering the wrong password?

Any tests I have done (taking into account the known limitation/vulnerability) on my LAN using RealVNC Free Edition 4.1.1 has resulted in the dialog box shown below when entering the wrong (or nul) password.

reply to dinferno
Edit: Sorry, NetFixer already posted the fix.

My name is Steve Wiseman. I am aware of the 8 char limit on passwords. This vulnerability allowed me to access 4.1.1 machines without *any* password. It has been promptly fixed by the RealVNC team - I suggest you download it from their site as soon as you can.

Steve

reply to dinferno
Full Disclosure:

»seclists.org/lists/fulldisclosur···359.html

This vulnerability seems to be so ridiculously simple, one wonders whether this was someone's attempted backdoor.

reply to dinferno
Yah, this is bad news. It's not a buffer overflow or a bug at the low-level coding issue, it's a failure to negotiate an authentication protocol properly.

During the initial handshake, the server offers a list of auth types which it supports. There are bunches of types, and one of them is "no auth required" - we hope that most people configure their VNC to not ever offer that one, and always require at least a little something to get in the door.

But when the client replies with its requested auth type, the server only verifies that it's a valid type, not that it's one that the server actually offered. When the client replies with "No auth required", the server should reject it, but instead gives it a pass.

To illustrate the difference, consider these two conversations about somebody trying to get into a bar:

reply to dinferno
thanks for the headsup. long live ssh.

Is UltraVNC 1.01 vulnerable as well? If so, what do I do?

Edit: I found the UltraVNC forums and looks like there's a 1.02 test version out that does have this fix.