Bugtraq mailing list archives

RE: VNC authentication weakness

From: "Andrew van der Stock" <avanderstock () b-sec com au>
Date: Fri, 26 Jul 2002 14:09:27 +1000


This weakness has been documented for some time. Most have been
documented in print (Hacking Exposed 3rd edition, pp 539-543,
particularly p542). 

The other issues that haven't been covered off before include:

* NT 4.0 default registry permissions are weak, and allow normal users
to replace the crypted password with one of their own in HKLM.

* Under all versions of VNC, it's not clear when the HKCU version will
be used. The code will quite happily use the one in HKCU (if it exists)
under most circumstances from my own testing. This can be a problem if a
user runs the app version of VNC (requires no special privileges). 

* many of the servers do not adequately check DNS results before doing a
log with a %s format string. (Not normally exploitable - logging is
rarely turned on).

* it may be possible to attack the mini-web server turned on by default.
I've had limited success in looking at this issue because I don't
normally do shellcode (prefer fixing the problem), and thus my limited
l33tness has hampered my exploiting this issue. It's there if you go
through the code. Fairly sure a .. exploit of some form is possible.

So what can be done? TightVNC 1.2.5 for Win32 should have an routine or
two to tighten up registry security on NT platforms (NT 4.0 SP3 and
later), and the location of the password should be moving to the LSA
secrets area.

I've explicitly asked Constantin to turn off the mini-web server by
default (search the tightvnc mail lists back about 8 months). Those
sites that need it, will turn it back on. I've never used it. Don't know
many sites that do. 

But here is a longer term solution: 

I've been working on RFB 4.0 for some time. A major feature is that it
replaces the default authenticator with SRP, ditching the 3DES C/R
completely. The proposal is not complete as yet, but the SRP portion is.
Beyond completing a few things in there in ABNF, the protocol
description is nearly complete. The trick then is to get the currently
active projects to support it. 

If people are interested in reviewing the security of the protocol and
suggest improvements, please do so. 

The PDF can be downloaded from here:
http://www.evilsecurity.com/vnc/

Direct link to the PDF:
http://www.evilsecurity.com/vnc/rfb40-draft6.pdf

Direct link to the Word and Visio source files in case you wish to
provide comments back in a marked up form:
http://www.evilsecurity.com/vnc/rfb.zip 

Remember - this is a draft specification, and beyond a grammar checker
that I have written to test the protocol (more on that to come), it
doesn't actually exist in code form yet.

Thanks,
Andrew van der Stock

Current thread:

VNC authentication weakness jepler (Jul 24)
- Re: VNC authentication weakness David Frascone (Jul 24)
  - Re: VNC authentication weakness Iván Arce (Jul 24)
- Re: VNC authentication weakness Jack Lloyd (Jul 25)
  - Re: VNC authentication weakness Constantin Kaplinsky (Jul 26)
- Re: VNC authentication weakness Andreas Beck (Jul 25)
  - Re: VNC authentication weakness David Wagner (Jul 25)
    - Re: VNC authentication weakness Mitch Adair (Jul 26)
    - Re: VNC authentication weakness Jose Nazario (Jul 26)
    - Re: VNC authentication weakness Ariel Waissbein (Jul 27)
- <Possible follow-ups>
- RE: VNC authentication weakness Andrew van der Stock (Jul 26)
- Re: VNC authentication weakness Kragen Sitaker (Jul 28)
  - Re: VNC authentication weakness Theo de Raadt (Jul 29)
    - Re: VNC authentication weakness Nate Lawson (Jul 29)
    - Re: VNC authentication weakness Mike Porter (Jul 30)
  - Re: VNC authentication weakness David Wagner (Jul 29)
    - Re: VNC authentication weakness David Malone (Jul 30)