RealVNC Exploit

[Deeboe]

Hey there kids! Just read the following on SANS:

Found here: http://isc.sans.org/
RealVNC Exploits, Bleeding Snort Signature
Published: 2006-05-16

Update: Matt Jonkman posted some signatures to bleeding snort that identifies the exploit attempt. Matt reports good success with these so far. I'll do some testing with them tomorrow. http://www.bleedingsnort.com/cgi-bin...NC?view=markup

Given the details of the RealVNC vulnerability that were disclosed this morning (May 15) on Full Disclosure, exploits are now being released. This note is to alert our readers that the exploit is trivial and very effective. (In fact, you can modify a VNC client to exploit the vulnerability with very little code changes -- around 1 line.)

Administrators should be scanning their networks for open VNC servers (typically on TCP port 5900). You want to upgrade any VNC servers that give you protocol above 3.3. You can use the service detection in nmap to get the protocol number.

We can't confirm that VNC servers from other projects like TightVNC or UltraVNC are vulnerable - I don't think they are vulnerable. At this time, it only appears that RealVNC servers are vulnerable. Unfortunately, there doesn't seem to determine which software the remote end is running. You only get to see the protocol number.

Unless you like to have unauthorized folks moving your mouse around the screen, you are strongly urged to upgrade to the latest RealVNC release. Also, you should consider binding the VNC daemon to 127.0.0.1 and tunnelling the VNC traffic through an SSH tunnel, which will provide you with stronger authentication mechanisms. Google "vnc over ssh" for more detailed instructions on how to accomplish this on your platform of choice.

Also, I noticed that Metaploit is has a an exploit for this already. Here is a short description of the vulnerability from Metasploit:

http://metasploit.com/projects/Frame...lvnc_41_bypass
This module exploits an authentication bypass flaw in version 4.1.0 and 4.1.1 of the RealVNC service. This module acts as a proxy between a VNC client and a vulnerable server. Credit for this should go to James Evans, who spent the time to figure this out after RealVNC released a binary-only patch

The Secunia warning: http://secunia.com/advisories/20107/

Watch your arse's!

-Deeboe

[AngelicKnight]

Thanks! We use VNC religiously for all our clients, so this is vital to know.

[HTRegz]

Originally posted here by AngelicKnight
Thanks! We use VNC religiously for all our clients, so this is vital to know.

Even without this exploit perhaps this isn't the greatest of ideas? Have you considered an alternative?

[AngelicKnight]

I would, but I'm just the minion, not the decision maker on that front. As an IT outsourcing company, we use VNC to connect to our clients' machines remotely, so all the techs use either real, tight, or ultra VNC.

Open to suggestions though...

[hknetmaster]

Hi,

The last versions of RealVNC aren't vulnerable:

RealVNC RealVNC Personal Edition 4.2.3
RealVNC RealVNC Enterprise Edition 4.2.3
RealVNC RealVNC 4.1.2

You can download them from: http://www.realvnc.com/download.html

[HTRegz]

Originally posted here by AngelicKnight
I would, but I'm just the minion, not the decision maker on that front. As an IT outsourcing company, we use VNC to connect to our clients' machines remotely, so all the techs use either real, tight, or ultra VNC.

Open to suggestions though...

Even as a minion I'd still recommend making the suggestion that the practice might not be the best from a security stand point... Then because of the way I am... if they did nothing, I'd start mentioning it while dealing with clients... that you're leaving a big gaping security hole... That'll put some pressure on the company from clients as well (but that's just me... I'm a bastard like that)...


Dameware is a great alternative... Citrix (Something like GoToAssist)... or even *gasp* Remote Desktop... These would all be better alternatives to using VNC...

The only way I ever support VNC is when done internally (Although then you still have internal risks) or when done over VPN (Still the internal risks though)... I like VPN and Remote Desktop personally...

Peace,
HT

[AngelicKnight]

Actually, we onlly do it over VPN as well. I should have thought to mention that. We never use VNC outside of a secure Cisco Pix VPN connection.

[Tedob1]

if you know the network is secure and the people are trustworth i really think youdont have much to worry about.

a real nice solution in a trusted invironment is "gencontrol". it pushes tight vnc to the remote you need to work on then removes it when its done. someone on this site had something to do with making it...can't remember who. but it is very cool:

http://www.gensortium.com/products/gencontrol.html. your allowed or disallowed access depending on status of your account (NTLM). if crab ass security is not required this is perfect

[the_JinX]

I updated the two internet-facing machines..
They have Enterprise Edition..

Should be safe for now..

Both machines also have 'windows authentication' after VNC (the [ctrl]+[alt]+[delete] kind)
So it wouldn't even be that bad if exploited..

[HTRegz]

Originally posted here by Tedob1
if you know the network is secure and the people are trustworth i really think youdont have much to worry about.

a real nice solution in a trusted invironment is "gencontrol". it pushes tight vnc to the remote you need to work on then removes it when its done. someone on this site had something to do with making it...can't remember who. but it is very cool:

http://www.gensortium.com/products/gencontrol.html. your allowed or disallowed access depending on status of your account (NTLM). if crab ass security is not required this is perfect

It was slarty and it's absolutely wonderful software... I'ved used it in both domains I've worked in that I had admin access..

I'm really surprised at the number of people relying on VNC... To me VNC has always been a home users cheap solution... Sure the alternatives cost money (well not so much with remote desktop) but given them vs. VNC, I'd rather the alternative... even if I had to pay for it.

Peace,
HT