Slashdot Mirror
Critical Flaw Found in VNC 4.1
jblobz writes "IntelliAdmin has discovered a critical flaw that allows an attacker to control any machine running VNC 4.1. The flaw grants access without the attacker obtaining a password. The details of the vulnerability have not been released, but their website has a proof of concept that allows you to test your own VNC installation for the vulnerability"
You should tunnel unencrypted services like VNC over SSH anyway.
It says that the VNC port has to be accessible from the internet. Normally, I don't do this. I run it so that you can only connect from localhost and ssh tunnel through. It doesn't detail if it would affect an installation like this, but I doubt it.
-- Who is the bigger fool? The fool or the fool who follows him? --
Surely inspection of the vulnerability test will betray the flaw to attackers?
If this works on 3.3.3 please let me know cuz I need to be sending IT a message. I'd click the self test but I just started this job and I don't think they would like that very much. ;p
"I guess I'm gonna fade into Bolivian."
i guess tight vnc is okay??
that is what I use
4 posts and the web server is toast - doesn't look like many people will be testing it any time soon as everyone smashs the refresh button
'...if only "Jumping to a Conclusion" was an event in the Olympics.'
Like many services meant for users that can be expected to have a password, this is best tunneled through SSH. Access is controlled by a comparatively secure protocol and server. It's still best to patch (eg someone might get unpriviledged access to a machine and use this flaw to escalate the breach), but having a gateway that's more secure than any of the components behind it is nice. Even if the gateway itself has flaws from time to time.
I rarely criticize things I don't care about.
The hole hasnt been detailed but they have a web baced proof of concept exploit? do I need to spell it out for you? SNORT the segment while you run the test and BINGO -- Got 'em!
The NSA surely wishes to complain about the release of this information.
only RealVNC is affected, which is a crappy vnc anyway. TightVnc and better yet UltraVNC are far ahead of RealVNC, neither of which are affected btw.
I run VNC between two computers over a MAC filtered (yeah yeah I know...) and encrypted wireless connection, should I be (less) worried at all?
"I just can't sit while people are saying nonsense in a meeting without saying it's nonsense" J Watson, Sci Am 288:(4)51
From the initial article preceding the proof of concept, TightVNC, UltarVNC and RealVNC 4.0 are not affected.
"I started to wonder how widespread this flaw was so I downloaded TightVNC, and UltraVNC. They are immune. Both of them reject my connection right away"
"So it looks like a flaw is in the current RealVNC 4.1.1 authentication process. I am not going to give any clues as to what it is until I can figure it out totally, and promptly let the RealVNC team know so they can resolve the issue."
So there you go. This is apparantly not a system-wide VNC issue and is a RealVNC 4.1.1 issue only. Submitter you suck.
If you wanna get rich, you know that payback is a bitch
Talking about exploits can have a negative effect on that company. This might make China unhappy and lead to global nuclear war. Proof positive Slashdot should be banned from all political arenas!
"I guess I'm gonna fade into Bolivian."
TFA says the flaw is in RealVNC 4.1.1 not just VNC. VNC is a pretty broad term nowadays, does it also affect TightVNC, etc?
Trolling is a art,
OMFG! There's software that allows someone to take complete control over my machine?!?!?! Gah!! What sort of bastard would write such a hideous virus/worm thingie!??!
(yeah - I know..it's a joke)
If it says it has to be available from the internet, or it won't be vulnerable. Period. Why the fuck would they go into anymore detail than that? Yours isn't available from the internet, so it's not vulnerable. No "I doubt it" it necessary.
I know people like to have karma points, but for fuck's sake...
I have FC 4 2.6.16-1.2108_FC4smp kernel with some minor kernel sweak. For this test, I have activated vnc server (why need vnc when you have ssh.. who knows..*sigh*) with default config and disabled my paranoia iptable rules for this test. Also opened up port range from 5800 to 6001 (just to prove the point) from my firewall and set to port forward to VNC machine.
I even disabled password for the account VNC display is binded to and set to no encryption for VNC.
Nothing happened. No display, nah da, nothing.
I have stable FC4 vnc package version 4.1.1-10.1.
"Don't let fools fool you. They are the clever ones."
Mod parent up +5 Insightful.
Just my €0.01.
I'm a bit skeptical about the motives here when the comapany is in the business of selling Remote Control software. But, I have to agree with the other posters that talked about tunneling over ssh and only allowing connections from the localhost. I'm not sure why anyone would run VNC live on an untrusted network anyway.
and you bit! and so did i! brilliant, chibi! kudos.
The parent was saying that the problem was not with the lack of encryption, it was a problem with the authentication. He's not saying that SSH wouldn't solve the problem, simply that the problem would not be solved by SSH's encryption like the original poster implied, but its extra layer of authentication which is not affected by this vulnerability.
Unless I am very much mistaken SSH would be a valid work around for the problem and it has nothing o do with SSH encryption although it makes VNC use safer, it has to do with SSH tunneling. Even if the computer you are connecting to with VNC only has port 22 exposed to the internet you can still connect to the VNC server on one of the usual ports in the 59xx range. Before you can do that, however, you first have to use SSH port forwarding by to create an SSH tunnel and physically log onto the target system with the 'ssh' command using the '-L' option. That basically means that you can only get at the VNC server by creating an SSH tunnel first. This makes any authentication vulnerability of the VNC server a non issue, not that a for this bug ASAP would be a bad thing. You should always force users to use SSH when connecting via VNC and not just rely on VNC's native authentication all on it's own.
Only to idiots, are orders laws.
-- Henning von Tresckow
Can anyone check to see if OS X's implemtation of VNC (desktop sharing) is vulnerable?
I use TightVNC.
exactly why my VNC server only responds to localhost connections and I tunnel the connections in through ssh.
Well, not exactly why. not like I knew this particular exploit existed . . . but its why i only use ssh and terminal services over an ssh tunnel, 'cause you never know.
now if an exploit for openssh comes about allowing access without the publickey/private key, I guess I'm hosed . . .
Add the following to your ~/.ssh/config:
Then ssh into the machine to create the tunnel. You then connect to the remote VNC session with "xvncviewer localhost:1".
The comfort you demanded is now mandatory - Jello Biafra
Wake up. This is fake. Kudos for giving this shitty company free press.
This bit of information was useful to know, and didn't make the /. summary.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
I don't know about you guys but VNC is very important to me, and I dare to say almost all of my technical co-workers' daily work. Buggy or not, kudos to the developers.
----------
Diesel car forum - coming soon
Does anyone know if this exploit affects the VNC server that is built in to Mac OS X? I've never been clear on which mainstream software package it's based on (if any, it doesn't make it obvious either, it's just "VNC Access" and a checkbox, but I can't imagine Apple would have rewritten a VNC server from scratch if they didn't have to).
There's no real good way to set up that service with an SSH tunnel -- I think it's intended use is only on local networks when you're behind a firewall, but on the other hand there's nothing that marks it as being screamingly insecure when you go to turn it on, either (IIRC). If you want to tunnel it, or rather, if you want to limit access to connections that are coming in via an SSH tunnel, I think you have to run a regular VNC server and set it up manually.
The test page is down right now so I can't check it one way or the other, but I'd be interested to see if anyone knows what code is actually used for Apple's built-in VNC server, and whether people believe it's vunerable.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Just releasing a stable patch for it and saying it's just a bad database overflow would probably be better than disclosing proof of concept, especially if it can be run on other machines, particularly DEFENSE NETWORKS THAT SHOULDN'T BE ON THE INTERNET ANY-FUCKING-WAY LIKE THEY ARE NOW. Excuse me? Our original DARPA-NET still connected to the rest of the world? What? Can you please explain this to me, even IF it is funded with taxpayer dollars, please? *SOME* info has to remain sensitive, and I'm a huge 4th amendment advocate. Besides the point, some of our own info *MUST* remain private if we, as a country, are to have/maintain our own self-independence. Let's just not make sure it comes to Bushism/Catholicism/Ninjitsu/WHATEVER RELIGION PERIOD.... ONLY rational and realistic thinkers are allowed, with SOME exception for those that *MAY* have half a clue, unlike everyone else, who seems uneducated. Think I'm talking about you? Check your current school discrict grades with other school districts. Do I hear an "I'm sorry?"
Our schooling system, before anything else, needs a reform. If you ask me "How do you propose this, Sir?" I point you to my previous posts. Since my Firefox copy/paste function is inexplicably broken, I invite you to search through my most recent TEN slashdot posts I've made, and within those, you'll find the relevant answer that I believes answerss your question/s.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Mods, the parent post is *not* offtopic. It's an important question, the answer to which is "no, it isn't.".
Erm... "yes, it is."
Note to self: proofread post before posting.
This appears to affect RealVNC. That's a big problem for RealVNC; even if a similar bug existed in other VNC implementations, it wouldn't matter there.
Why? For other VNC implementations, people have to use ssh tunneling (no built-in encryption), but RealVNC is supposed to offer secure end-to-end encryption without ssh tunneling. If that doesn't work or if the RealVNC developers can't be trusted not to screw up, the whole raison d'etre for RealVNC goes away. And, in fact, RealVNC is built into devices (e.g. intelligent KVM switches) because it has encryption built in.
Note that RealVNC is not really open source; its more advanced features are under other licenses.
...it is a good idea not to run VNC all the time anyway. It'd be dangerous even if it was completely designed from the beginning with security in mind, which it wasn't. I'm not even sure that the password is sent encrypted (probably it is by now), but certainly the normal traffic is not encrypted AFAIK.
Also, there have been vulnerabilities before.
This, of course, is not good, but whether it is acceptable also depends on the purpose that you're using it for.
I installed VNC on the computers at my parents place, but it's disabled by default (but put in an obvious place in the start menu). When there is a problem, my parents can call me, I'll tell them to start the "Remote control thingy" (1 click in the start menu) and then I can reach the computer.
Not much can go wrong that way, of course someone could intercept the traffic etc. if they like to stare at default windows desktops I wish them good luck.
However, don't type the admin password over VNC, I'd guess...it's like doing 'su root' over telnet....
Every expression is true, for a given value of 'true'
It's been almost a year since the latest release and there are a number of bugs (particularly the annoying 'disconnecting' bug) that have not been fixed yet, even though they have been around for a while. If it wasn't for the built-in file transfer feature (which I can't live without) I would have dropped it a while ago. Anyone knows any VNC flavor with built-in file transfer feature, besides tightvnc? also, is tightvnc really dead???
Refering to This slashdot post...
If VNC could utilize this technology and get the info to go faster than light, and I manage to VNC 127.0.0.1, would I be able to get my work done before I do it?
This would be cool...
</offtopic>
I tried it with RealVNC 4.1, yesterday. They told me I was not vulnerable. So I thought maybe this company is claiming this just for the publicity and let it go.
Since it made it on Slashdot frontpage, maybe there is something more to it that I am missing (there's always hope for slashdot editors, I am a pessimist). Was anyone able to see their desktop over this website?
On a sidenote, whoever created captchas that are so hard to read like this one I am seeing on the screen right now, should be hung by their balls and shot.
VNC has always had exploits. It was never designed to be secure. It was built for cross-platform system management on LANs, and everyplace I've ever downloaded it (except the RealVNC site) has always carried the original AT&T labs disclaimer that it is not a secure service.
RealVNC has always tried to market up their version, and has been the fastest to add new features; two common warning signs when looking at a software's level of security.
If it says your safe - then hey your safe.
I don't understand how VNC could pass back details of my safe, it is nowhere near my computer!
Is to post your vnc server on slashdot, thereby disabling any vnc access for you http://www.intelliadmin.com/blog/2006/05/vnc-flaw- proof-of-concept.html
Join the Slashcott! Feb 10 thru Feb 17!
...do us a favor. Don't ever link Gibson Research on Slashdot ever again. Steve is such an attention-grabbing tool.
And you want us to sit around and listen to a fucking podcast? Jesus christ, do you think we have nothing better to do? A quick HowTo or Wiki is just fine, thank you.
But yeah, MAC address filtering has no purpose other than to frustrate you when you use a new network adapter.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
For those with XP Home edition, there is no remote desktop. VNC is a reasonable and free solution.
I like VNC BECAUSE it's simple, effective, and ridiculously easy to setup. Makes troubleshooting remotely very easy. But I run it over tunnels, not in the open. Additionally, you can use a java client to connect so it makes the native OS less important.
...to be "secure" at all, anyways. It was never intended to be "secure" it was intended to simply provide convenient remote-control access of a desktop with no semblance of security ever implied.
RealVNC has already released a 4.1.2 update that closes the vulnerability.
A guy who works for a company that produces remote administration software finds a bug in VNC that he says will allow anyone to take control of any computer running VNC, then has it posted to slashdot, then takes down the test page because slashdot was too much for his server. Profit motive anyone?
Please change it to read "Flaw found in RealVNC 4.1.1", other VNC products don't appear to be affected, including RealVNC 4.0.