Vulnerability in the way Ultr@VNC-1.0.1 handles MS-Logon Authentication.

[gdehanot () asia-global-risk com]

AGR IT Advisory
May 2, 2006
AGR-ADV-2006-01

TITLE: Vulnerability in the way Ultr@VNC-1.0.1 handles MS-Logon Authentication.

Overview

Deon Force discovered a vulnerability in Ultr@VNC 1.0.1 and earlier versions with MS-Logon I and MS-Logon II 
authentication that may allow attackers to crack the windows password directly from the intercepted challenge response 
of MS-Logon traffic. This is due to the way Ultr@VNC handle the MS-Logon authentication.

Description

Ultr@VNC (available at http://ultravnc.sourceforge.net/) is a free software that can display the screen of another 
computer (via internet or network) on your own screen. The program remotely controls the other PC over any TCP/IP 
connection for administering and support.
While analyzing the MS-Logon authentication of Ultr@VNC, our team had found that it is possible to crack the MS-Logon 
authentication. It uses a simple algorithm to generate a response from the challenge sent by the VNC server to the VNC 
client and the username is sent in plain text. 
Our team has made an update to the VNCrackX4 which is capable to crack the intercepted challenge response of the 
MS-Logon authentication. It is based on the original version of VNCrackX4 from phenoelit available for download at 
www.phenoelit.de/vnccrack/download.html. The updated version of VNCrackX4 is or will be available at the same location.

Problems

The challenge response authentication process involve insecure and reversible algorithm (XOR).
An attacker can extract the windows password from the intercepted challenge // response.

Impact

Successfully sniffing the authentication session will compromise the windows account used for authentication.
This account can further be used to compromise the system or other system in the same domain or network.

Solution

We recommend not to use MS-Logon authentication method with Ultr@VNC until the algorithms used for authentication are 
improved.
A workaround to this vulnerability would be to use end-to-end encryption for the communication between the server and 
the client. Implementing a VPN solution could prevent an attacker from intercepting the session authentication exchange.
Another solution is to use the DSM Plug-in available at http://msrc4plugin.home.comcast.net/index.html provided that 
the key file is kept secure.

Credit

This vulnerability was discovered and researched by Deon Force. It was first reported to the Ultr@VNC team on 21 April 
2006.

Copyright

This document is not to be edited or altered in any way without the express written consent of AGR(B) Sdn. Bhd. If you 
wish to reprint the whole or any part of this document, please email no_sp@m_support () asia-global-risk com for 
permission. You may provide links to this document from your web site, and you may make copies of this document in 
accordance with international copyright laws. 

Disclaimer

The information within this document may change without notice. Use of this information constitutes acceptance for use 
in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any 
use of this information is at the user's risk. In no event shall the author/distributor be held liable for any damages 
whatsoever arising out of or in connection with the use or spread of this information.

About Deon Force

Deon Force is a team of security experts working in collaboration with Asia Global Risk.

About Asia Global Risk

Asia Global Risk is a risk management company providing a wide range of security services, including IT security.
Website: http://www.asia-global-risk.com

Revisions:

Version 0.1 April 21 -2006 – Draft version.
Version 1.0 May 2 -2006 – First Public Version.
An updated version of this document may be found at this address: 
http://www.asia-global-risk.com/IT/AGR_IT_ADV_2006-01-VNC.pdf