WinVNC 3.3.x

[Gossi The Dog <gossi () OWNED LAB6 COM>]

So, you use WinVNC and Windows NT4 Workstation/Server...?

During the InstallShield setup utility, it creates the registry key:

HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\

which is used to store all of WinVNC's default settings.  By default,
Administrator and SYSTEM have full control, and Everybody has Special
Access (read and modify).

Ding dong.  The connection password, ip and query restrictions and other
settings are all stored here, all editable by anybody.

This completely comprises any workstation [or server] running WinVNC,
unless its been tightened.  You can just use regedit remotely to blank the
password value and set the key "AuthRequired" to 0, to allow the blank
password...

Under Windows 2000, network users with "Standard User" (aka Power User)
privs can do the same by default - really only admins should have access
to this key.

This isn't anything brilliantly new (lax security permissions by default
under NT4), but since WinVNC allows complete remote access to a system, I
feel its important people realise what they are deploying.

FIX - Use regedt32 to remove Everybody's permissions on the key entirely.


Gossi
Head Of ebe security
Professional Layabouts since 1998