Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Flaw Found in VNC 4.1

Posted by ryuzaki0 on from the public-desktops dept.

jblobz writes "IntelliAdmin has discovered a critical flaw that allows an attacker to control any machine running VNC 4.1. The flaw grants access without the attacker obtaining a password. The details of the vulnerability have not been released, but their website has a proof of concept that allows you to test your own VNC installation for the vulnerability"

3 of 175 comments (clear)

  1. tight vnc by bazooka_foo · · Score: 3, Interesting

    i guess tight vnc is okay??

    that is what I use

  2. Re:scope of bug... by petard · · Score: 3, Interesting

    only RealVNC is affected, which is a crappy vnc anyway. TightVnc and better yet UltraVNC are far ahead of RealVNC, neither of which are affected btw.

    I wouldn't assume they aren't affected by this. They very likely aren't, but it looks like this guy stumbled upon the flaw as he was implementing an independent VNC viewer from the VNC specification. It doesn't sound like he really has his mind around why RealVNC is affected, so it'd be prudent to assume that they are. (i.e. Once he understands why the attack works he may be able to produce one easily against TightVNC and UltraVNC.)

    At any rate, if you operate your VNC service in a reasonable configuration, you're safe. By "reasonable configuration" I mean listening only on 127.0.0.1 so that people have to connect via ssh or client-authenticated stunnel to get to it. VNC authentication is not safe on an untrusted connection. And you shouldn't trust your connection unless your network is so small and has such well-controlled access that you can physically inspect every device on it in <30 minutes with absolute certainty that you haven't missed any.

    --
    .sig: file not found
  3. Re:scope of bug... by pe1chl · · Score: 4, Interesting

    Our experience with *VNC has been that "better" is often subjective.
    We used the original VNC for quite a while then switched to TightVNC. It seemed "better", but on the Windows platform there were some situations where it had difficulty finding the need to redraw certain screen areas.
    (I am of course assuming that the 'poll full screen' option is not used, but limited areas of the screen are polled)
    Sometimes a click on a window bar is needed to refresh that window, sometimes it is enough to move the mouse around a little.
    The ancient version did allow you to refresh the screen by "painting" the area with the mouse cursor, but TightVNC usually refreshes an entire updated area when it is moved over by the mouse.

    However, as there still were apps which did not work entirely satisfactorily (especially when extensive use was made of tooltips), we kept looking and it seemed that UltraVNC was promising. It was installed on a few systems and it worked ok, then rolled out to a lot of systems.
    Now, problems again appear, but in other situations.
    Sometimes it delays refreshing a bit long, and shortening the timer increases the CPU usage too much.
    Using the special video driver improves things a little, but it has proven difficult to find a really well-working setup that does not have annoying lag and does not overload the system either.
    One one system it was even replaced by RealVNC because of system load issues.

    Fortunately all those servers and clients inter-operate, or else there would be a big mess by now.
    (also, we fortunately can automatically and silently install new or other versions on at least the client systems, so switching is not too hard)

    I wonder what other people's experiences are. I don't define "better" as "having more toolbar buttons" or "having more added options like file transfer", but I am still looking for a better VNC in terms of good interactive performance without overloading the server system.