Bugtraq mailing list archives
Re: vnc remote dictionary based cracker
From: peterw () USA NET (Peter W)
Date: Wed, 24 May 2000 16:49:27 -0400
At 9:36am May 23, 2000, Patrick Oonk wrote:
With this patch applied, the vncviewer turns into a neat dictionary based remote cracker. The fun with vnc is that the password is 8 characters or smaller, and that vnc has no concept of users, which brings down the number of possibilities to try.
VNC hints: 1) Use Unix -localhost or Windows LoopbackOnly or kernel packet filters (ipfilter, ipchains, whatever you have) to restrict access to TCP services, e.g. to force users to tunnel their VNC sessions through SSH for more security (effectively making attackers obtain local user privileges before trying to connect to your VNC server, as well as encrypting data). 2) On the *nix ports of the VNC server, authentication uses the _current_ contents of ~/.vnc/passwd. To prevent logins, `chmod 0 ~/.vnc/passwd`. This will also prevent VNC DoS attacks; that is, when a VNC viewer attaches to a VNC server, any other viewer connections to that server processs are broken. An attacker who sniffs/guesses/cracks a VNC password can hijack your VNC session, and change the passwd ownership to lock you out! For this reason, you might want to chown the VNC passwd file as soon as you log in to the VNC server session. This disconnect behavior can be changed, too. WinVNC server users see the docs on ConnectPriority; Unix users see the docs on -dontdisconnect and -nevershared. Sure, 2) means you need an alternate way to log in (or to change the perms on ~/.vnc/passwd), but IMO, VNC is better suited to running GUI apps remotely than general remote access. Clearly, having VNC server listening for logins 24x7 is risky. ;-) Win32 users might want a port of sshd for tunneling and starting the VNC server, e.g. http://web.mit.edu/pismere/ssh/ssh-port.html (I haven't tested that, and there may be licensing issues for many sites, since it's based on SSH 1.2.26 rather than OpenSSH, LSH, etc.) -Peter http://www.bastille-linux.org/ : working towards more secure Linux systems
Current thread:
- vnc remote dictionary based cracker Patrick Oonk (May 23)
- Re: vnc remote dictionary based cracker Peter W (May 24)