Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Flaw Found in VNC 4.1

Posted by ryuzaki0 on from the public-desktops dept.

jblobz writes "IntelliAdmin has discovered a critical flaw that allows an attacker to control any machine running VNC 4.1. The flaw grants access without the attacker obtaining a password. The details of the vulnerability have not been released, but their website has a proof of concept that allows you to test your own VNC installation for the vulnerability"

26 of 175 comments (clear)

  1. Re:SSH by AmigaAvenger · · Score: 2, Informative

    maybe you haven't used ssh before, but when you tunnel stuff over ssh you no longer even care if vnc has a password! the ssh tunnel drops you behind the firewall or directly on the console of the machine, all traffic goes over ssh, which means you already have logged in with a valid username/password.

  2. Capture the packets by a_greer2005 · · Score: 4, Informative

    The hole hasnt been detailed but they have a web baced proof of concept exploit? do I need to spell it out for you? SNORT the segment while you run the test and BINGO -- Got 'em!

  3. scope of bug... by AmigaAvenger · · Score: 5, Informative

    only RealVNC is affected, which is a crappy vnc anyway. TightVnc and better yet UltraVNC are far ahead of RealVNC, neither of which are affected btw.

    1. Re:scope of bug... by ImaLamer · · Score: 1, Informative

      Except for encryption, but this makes encryption worthless.

      It's all the same.

      --
      Get your Unix fortune now!
    2. Re:scope of bug... by moonbender · · Score: 3, Informative

      I wouldn't assume they aren't affected, either, but the guy did test Ultra and Tight, and both weren't affected. So there. It's not in TFA, but one link away.

      --
      Switch back to Slashdot's D1 system.
  4. Specific to RealVNC 4.1. TightVNC and UltarVNC OK by McGruff · · Score: 2, Informative

    From the initial article preceding the proof of concept, TightVNC, UltarVNC and RealVNC 4.0 are not affected.

  5. Bottom Line by bogie · · Score: 5, Informative

    "I started to wonder how widespread this flaw was so I downloaded TightVNC, and UltraVNC. They are immune. Both of them reject my connection right away"

    "So it looks like a flaw is in the current RealVNC 4.1.1 authentication process. I am not going to give any clues as to what it is until I can figure it out totally, and promptly let the RealVNC team know so they can resolve the issue."

    So there you go. This is apparantly not a system-wide VNC issue and is a RealVNC 4.1.1 issue only. Submitter you suck.

    --
    If you wanna get rich, you know that payback is a bitch
  6. Re:RealVNC by grub · · Score: 2, Informative

    Answering my own question, from this link:
    I started to wonder how widespread this flaw was so I downloaded TightVNC, and UltraVNC. They are immune. Both of them reject my connection right away.
    --
    Trolling is a art,
  7. Insightful my ass by Anonymous Coward · · Score: 1, Informative

    If it says it has to be available from the internet, or it won't be vulnerable. Period. Why the fuck would they go into anymore detail than that? Yours isn't available from the internet, so it's not vulnerable. No "I doubt it" it necessary.

    I know people like to have karma points, but for fuck's sake...

  8. Re:encrypted wireless? by Anonymous Coward · · Score: 2, Informative

    If WEP, then you should be very worried. If WPA then less worried (assuming your key is actually at all good). Also this only affects RealVNC (I believe). Also MAC filtering is pretty much only 'useful' to prevent people from accidentally connecting to your network (same with WEP).

  9. SSH Port forwarding by Savage-Rabbit · · Score: 5, Informative

    The parent was saying that the problem was not with the lack of encryption, it was a problem with the authentication. He's not saying that SSH wouldn't solve the problem, simply that the problem would not be solved by SSH's encryption like the original poster implied, but its extra layer of authentication which is not affected by this vulnerability.

    Unless I am very much mistaken SSH would be a valid work around for the problem and it has nothing o do with SSH encryption although it makes VNC use safer, it has to do with SSH tunneling. Even if the computer you are connecting to with VNC only has port 22 exposed to the internet you can still connect to the VNC server on one of the usual ports in the 59xx range. Before you can do that, however, you first have to use SSH port forwarding by to create an SSH tunnel and physically log onto the target system with the 'ssh' command using the '-L' option. That basically means that you can only get at the VNC server by creating an SSH tunnel first. This makes any authentication vulnerability of the VNC server a non issue, not that a for this bug ASAP would be a bad thing. You should always force users to use SSH when connecting via VNC and not just rely on VNC's native authentication all on it's own.

    --
    Only to idiots, are orders laws.
    -- Henning von Tresckow
    1. Re:SSH Port forwarding by ookabooka · · Score: 2, Informative

      VNC's authentication is PLAINTEXT. It's just a little authentication thing to keep random people out, and is by no means secure. FTP is the same way, username/password are transmitted plaintext. The article is a short blurb about how they discovered a way to completely bypass authentication, so even random people have access to your desktop. IMO, if you are doing anything where security is atleast of moderate concern, you should close the port and do ssh tunneling. Otherwise you have to be willing to accept the risk that come with security holes like these, plaintext passwords, and even man in the middle attacks that allow the attacker to view the desktop during an active session. Basically, weak security has gotten even weaker.


      P.S. They have a neat little prog that will test your computer to see if it is vulnerable, though it is currently disabled because "Slashdot is too much for it to handle."

      --
      If you are about to mod me down, keep in mind that this post was most likely sarcastic.
    2. Re:SSH Port forwarding by ComaVN · · Score: 2, Informative

      vnc authentication is not plain text, but anything you do over it (like logging in to your account) is.

      --
      Be wary of any facts that confirm your opinion.
  10. Re:FC 4 vnc-server-4.1.1-10.1 tested and passed by armitage_23 · · Score: 2, Informative

    Using VNC over an SSH can be much faster than XForwarding. For instance, when you have a high latency link or the application has 32-bit icons.

    Using a VNC desktop and squashing the color depth down gives a huge speed up.

    It can also help when you're moving from meeting to meeting. I leave a VNC session running with a few apps, and I can connect to it from various physical locations, even if my IP changes or I have to turn off my laptop. Try that with X forwarding.

  11. And here's how you do it .... by tarka69 · · Score: 5, Informative
    Start the vnc-server with the following:
    vnc4server -nolisten tcp -localhost

    Add the following to your ~/.ssh/config:

    Host lucretia
            HostName lucretia.dyndns.org
            Compression yes
            LocalForward 5901 localhost:5901

    Then ssh into the machine to create the tunnel. You then connect to the remote VNC session with "xvncviewer localhost:1".
    --
    The comfort you demanded is now mandatory - Jello Biafra
  12. Re:Not enough details by GooberToo · · Score: 2, Informative

    You missed the point. He's saying no one can reach his box unless they have SSH'd into hix box first. That means he's not likely at risk unless someone has gotton past SSH first and/or already have a local account.

  13. Re:FC 4 vnc-server-4.1.1-10.1 tested and passed by mhesseltine · · Score: 4, Informative
    you can't use ssh to connect to your Mom's machine in a different city and help figure out why she has trouble using/interacting with Kmail or some other GUI program. But with vncserver + vncviewer, you CAN.
    You may want to look into x11vnc, which will allow you to connect to a running X session and view it using VNC. This is how I access my home machine from work when I want to check on a running GUI task at home. SSH in, run x11vnc -display :0, then connect to the tunneled VNC connection. Works great, and when I'm done, I just take down the x11vnc so it's only up and running when I need it.
    --
    Overrated / Underrated : Moderation :: Anonymous Coward : Posting
  14. Re:FC 4 vnc-server-4.1.1-10.1 tested and passed by Nazo-San · · Score: 2, Informative

    Don't forget. VNC is OS independant. I can fire up a VNC session on my linux box and use a VNC client on the box itself then leave the session open and connect to it from a windows box. Ok, via Cygwin you can pull off X, but, it is definitely not worth all that extra clutter when a simple VNC client can achieve the same purpose and is designed to do it better (remote X is really intended for a lan dumb client type setup whereas VNC can be used to add JPEG compression, decrease color depth, etc so works about as well as you can hope over the internet.)

    PS. I found a nice little client called DirectVNC which uses the DirectFB (framebuffer) to give you VNC in a console. Since this is for a server type setup, I find it handy since I can have just one X setup running essentially this way. Eg, I don't have to start X to get to the VNC session even. It strikes me that this could also be handy on some minimalistic setups such as some live discs perhaps.

  15. Re:Yikes! by julesh · · Score: 4, Informative

    But isnt the slashdot crowd always for the release of exploits?

    Yes, indeed. However this isn't a release of an exploit, it is somebody saying "bring your machine, and I'll exploit it for you."

    What this means, effectively, is that anyone who is prepared to go to the effort of sniffing packets can easily figure out what's going on, but the rest of us are still in the dark. I can't use this to test the machines on my internal network because there's no way I'm going to open the VNC ports on my firewall. He may be wrong when he says on the previous article that (e.g.) TightVNC isn't vulnerable, it may be vulnerable to a slight variation of the attack that could easy be found by somebody who knew how it worked, but because he's released no details to anyone who doesn't make a large effort to understand the problem we can't know that. But be sure that there are some blackhats out there who have already tested this and understand why it works who have tried to figure out if they can make it work on another version.

    This behaviour is wrong in every way possible. Disclosure should be complete or not exist at all, IMO. Anything between is dangerous.

  16. Re:tight vnc (NOTE TO MODERATORS) by julesh · · Score: 2, Informative

    Erm... "yes, it is."

    Note to self: proofread post before posting.

  17. Ouch! However... by Idaho · · Score: 2, Informative

    ...it is a good idea not to run VNC all the time anyway. It'd be dangerous even if it was completely designed from the beginning with security in mind, which it wasn't. I'm not even sure that the password is sent encrypted (probably it is by now), but certainly the normal traffic is not encrypted AFAIK.

    Also, there have been vulnerabilities before.

    This, of course, is not good, but whether it is acceptable also depends on the purpose that you're using it for.

    I installed VNC on the computers at my parents place, but it's disabled by default (but put in an obvious place in the start menu). When there is a problem, my parents can call me, I'll tell them to start the "Remote control thingy" (1 click in the start menu) and then I can reach the computer.

    Not much can go wrong that way, of course someone could intercept the traffic etc. if they like to stare at default windows desktops I wish them good luck.

    However, don't type the admin password over VNC, I'd guess...it's like doing 'su root' over telnet....

    --
    Every expression is true, for a given value of 'true'
    1. Re:Ouch! However... by ledow · · Score: 2, Informative

      And like any such plaintext algorithm, suitable wrappers exist and should ALWAYS be used.

      UltraVNC incorporates custom extensions that implement a Microsoft encryption DLL on Windows machines (also works flawlessly through Wine). Coupled with UltraVNC SC, you can create a single executable that anyone can download from your website and run and it will connect, fully encrypted, back through whatever firewall they have to your machine which (if it is running a suitable client) will take it over as normal.

      Or you can just do it the old fashioned way, via SSH, or even better - NOT LEAVE PLAINTEXT-PROTOCOL SERVERS RUNNING ON INTERNET-CONNECTED PC'S. You wouldn't run telnet on your parent's machine, don't run VNC without some sort of encryption.

  18. Re:Built-in VNC server in Mac OS X vunerable? by Anonymous Coward · · Score: 2, Informative

    The Remote Desktop server process that runs in Mac OS X does provide support for legacy viewers (it uses an enriched protocol when talking to actual ARD clients), but it does not contain code from other VNC servers (trust me ;) )

    This vulnerability is with the Windows-based RealVNC server and its protocol implementation only, and not with the protocol itself.

  19. Alarmist by porkface · · Score: 2, Informative

    VNC has always had exploits. It was never designed to be secure. It was built for cross-platform system management on LANs, and everyplace I've ever downloaded it (except the RealVNC site) has always carried the original AT&T labs disclaimer that it is not a secure service.

    RealVNC has always tried to market up their version, and has been the fastest to add new features; two common warning signs when looking at a software's level of security.

  20. Re:SSH by merryberry · · Score: 2, Informative

    Windows remote desktop suffers from very weak authentication. The best solution to this VNC flaw and using remote machines in general is to use a VPN to ensure that authentication is managed with public key cryptography, with all data thereafter being encrypted with symmetric keys. It also means it's so much simpler to run different services without having to create separate SSH tunnels. http://openvpn.net/ has a great solution working on all platforms.

  21. Re:SSH by riffer · · Score: 2, Informative
    You are confusing interactive SSH logins with VNC logins. Your message is, sadly, not informative and in fact misleading.

    Tunneling a protocol over SSH does not eliminate the need to authenticate on that protocol! The very nature of tunneling means whatever protocol is carried down the tunnel is unmodified

    Tunneling VNC over SSH simply means you establish a secure shell connection and do port forwarding between your target host and your client. Your client forwards connections to the localhost on a specified port (say, 5900) through the SSH connection to the remote host. So the traffic is encrypted the entire way, but unencrypted once it hits the remote host.

    So here's a simple outline of the steps to do:

    • Let's say you are using a host named "Guido" and you want to securely VNC into a host named "Barbarella"
    • Establish an SSH connection to Barbarella from Guido, enabling port forwarding.
      Let's say you decide to forward connections to 3145 on localhost (Guido, in this case since he's the system you are connecting from) to port 5900 on Barbarella (our target).
    • Bring up your favorite VNC client software on Guido and connect it to "127.0.0.1:3145"
    • The local SSH client is listening on port 3145 on the localhost (Guido) and detects the connection attempt.
    • Local SSH client on Guido forwards all the data it's getting from the 127.0.0.1:3145 connection down the encrypted connection on port 22 to the SSH server on Barbarella. This data is identified differently than standard SSH traffic (i.e. interactive keyboard traffic)
    • SSH server on Barbarella takes the forwarded traffic from Guido and sends it to port 5900 on 127.0.0.1 (in this case, Barbarella)
    • The VNC server on Barbarella detects an incoming connection and responds accordingly
    • The SSH server on Barbarella takes the response(s) from the VNC server and forwards them back down the encrypted pipe to the client (Guido)
    • The SSH client on Guido takes the forwarded VNC traffic from Barbarella and sends it to the local VNC client
    • Lather, rinse, repeat.
    • Profit!

    This same procedure is used for any kind of protocol you want to forward over SSH. Note that this is NOT the same thing as the secure versions of some protocols that have been released (i.e. IMAPS, POPS and so-on). Those are modified versions of established protocols where encryption is written both into the protocol standard and the actual software. Most VNC servers do not have built-in encryption.

    Note also that some VNC server solutions (such as UltraVNC) do support encryption from the client to server. UltraVNC does it with a plugin architecture, though it's not exactly perfect.

    Other important things to note, and to clear-up the rampant confusion in this thread:

    • VNC authentication is not plain text. However, the encryption used is fairly weak. It can be decrypted with little effort if the authentication between a VNC server and client is sniffed. Thus, tunneling the VNC connection over SSH defeats that method. However, the password is stored locally on the server in equally weak form. If a person gets ahold of the encrypted form of the server password, they can decrypt it instantly using one of several different vnc password cracking tools (and no, it's not brute force)
    • I would not blindly trust the IntelliAdmin website's "proof of conecpt" webpage. They are not publishing this supposed exploit, nor the source to their testing page. So there's no way of knowing what they are doing. Additionally, you are assuming that they (or someone in their organization) will not abuse this access.
    • UltraVNC has support for doing Microsoft NTLM authentication, which despite what some may think is more secure than the default VNC authentication scheme.
    • Security is about layers. SSH tunnels are great. But you should still use a password on your VNC server and no, you should not tell everyone on Slashdot your password is "password". Even better, keep the VNC server turned off when you are not going to need it (hint: cron can be useful to down the server during the hours you are usually at home sleeping)

    Oh, and my CISSP number is 81554.

    --
    In the darkness of future past, The magician longs to see. One chants between two worlds, "Fire, walk with me!"