RealVNC Exploit
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: RealVNC Exploit

  1. #1
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185

    RealVNC Exploit

    Hey there kids! Just read the following on SANS:

    Found here: http://isc.sans.org/
    RealVNC Exploits, Bleeding Snort Signature
    Published: 2006-05-16

    Update: Matt Jonkman posted some signatures to bleeding snort that identifies the exploit attempt. Matt reports good success with these so far. I'll do some testing with them tomorrow. http://www.bleedingsnort.com/cgi-bin...NC?view=markup

    Given the details of the RealVNC vulnerability that were disclosed this morning (May 15) on Full Disclosure, exploits are now being released. This note is to alert our readers that the exploit is trivial and very effective. (In fact, you can modify a VNC client to exploit the vulnerability with very little code changes -- around 1 line.)

    Administrators should be scanning their networks for open VNC servers (typically on TCP port 5900). You want to upgrade any VNC servers that give you protocol above 3.3. You can use the service detection in nmap to get the protocol number.

    We can't confirm that VNC servers from other projects like TightVNC or UltraVNC are vulnerable - I don't think they are vulnerable. At this time, it only appears that RealVNC servers are vulnerable. Unfortunately, there doesn't seem to determine which software the remote end is running. You only get to see the protocol number.

    Unless you like to have unauthorized folks moving your mouse around the screen, you are strongly urged to upgrade to the latest RealVNC release. Also, you should consider binding the VNC daemon to 127.0.0.1 and tunnelling the VNC traffic through an SSH tunnel, which will provide you with stronger authentication mechanisms. Google "vnc over ssh" for more detailed instructions on how to accomplish this on your platform of choice.
    Also, I noticed that Metaploit is has a an exploit for this already. Here is a short description of the vulnerability from Metasploit:

    http://metasploit.com/projects/Frame...lvnc_41_bypass
    This module exploits an authentication bypass flaw in version 4.1.0 and 4.1.1 of the RealVNC service. This module acts as a proxy between a VNC client and a vulnerable server. Credit for this should go to James Evans, who spent the time to figure this out after RealVNC released a binary-only patch
    The Secunia warning: http://secunia.com/advisories/20107/

    Watch your arse's!

    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

  2. #2
    Thanks! We use VNC religiously for all our clients, so this is vital to know.

  3. #3
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by AngelicKnight
    Thanks! We use VNC religiously for all our clients, so this is vital to know.
    Even without this exploit perhaps this isn't the greatest of ideas? Have you considered an alternative?
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  4. #4
    I would, but I'm just the minion, not the decision maker on that front. As an IT outsourcing company, we use VNC to connect to our clients' machines remotely, so all the techs use either real, tight, or ultra VNC.

    Open to suggestions though...

  5. #5
    Junior Member
    Join Date
    May 2005
    Posts
    11
    Hi,

    The last versions of RealVNC aren't vulnerable:

    RealVNC RealVNC Personal Edition 4.2.3
    RealVNC RealVNC Enterprise Edition 4.2.3
    RealVNC RealVNC 4.1.2

    You can download them from: http://www.realvnc.com/download.html
    -

  6. #6
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by AngelicKnight
    I would, but I'm just the minion, not the decision maker on that front. As an IT outsourcing company, we use VNC to connect to our clients' machines remotely, so all the techs use either real, tight, or ultra VNC.

    Open to suggestions though...
    Even as a minion I'd still recommend making the suggestion that the practice might not be the best from a security stand point... Then because of the way I am... if they did nothing, I'd start mentioning it while dealing with clients... that you're leaving a big gaping security hole... That'll put some pressure on the company from clients as well (but that's just me... I'm a bastard like that)...


    Dameware is a great alternative... Citrix (Something like GoToAssist)... or even *gasp* Remote Desktop... These would all be better alternatives to using VNC...

    The only way I ever support VNC is when done internally (Although then you still have internal risks) or when done over VPN (Still the internal risks though)... I like VPN and Remote Desktop personally...

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  7. #7
    Actually, we onlly do it over VPN as well. I should have thought to mention that. We never use VNC outside of a secure Cisco Pix VPN connection.

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    if you know the network is secure and the people are trustworth i really think youdont have much to worry about.

    a real nice solution in a trusted invironment is "gencontrol". it pushes tight vnc to the remote you need to work on then removes it when its done. someone on this site had something to do with making it...can't remember who. but it is very cool:

    http://www.gensortium.com/products/gencontrol.html. your allowed or disallowed access depending on status of your account (NTLM). if crab ass security is not required this is perfect
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  9. #9
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,535
    I updated the two internet-facing machines..
    They have Enterprise Edition..

    Should be safe for now..

    Both machines also have 'windows authentication' after VNC (the [ctrl]+[alt]+[delete] kind)
    So it wouldn't even be that bad if exploited..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  10. #10
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by Tedob1
    if you know the network is secure and the people are trustworth i really think youdont have much to worry about.

    a real nice solution in a trusted invironment is "gencontrol". it pushes tight vnc to the remote you need to work on then removes it when its done. someone on this site had something to do with making it...can't remember who. but it is very cool:

    http://www.gensortium.com/products/gencontrol.html. your allowed or disallowed access depending on status of your account (NTLM). if crab ass security is not required this is perfect
    It was slarty and it's absolutely wonderful software... I'ved used it in both domains I've worked in that I had admin access..

    I'm really surprised at the number of people relying on VNC... To me VNC has always been a home users cheap solution... Sure the alternatives cost money (well not so much with remote desktop) but given them vs. VNC, I'd rather the alternative... even if I had to pay for it.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •