RE: VNC authentication weakness

From: Andrew van der Stock (avanderstock@b-sec.com.au)
Date: Thu Jul 25 2002 - 21:09:27 PDT

Next message: http-equivat_private: "Re: [Full-Disclosure] Re: UPDATE: Re: REFRESH: EUDORA MAIL 5.1.1"

Previous message: http-equivat_private: "Re: [Full-Disclosure] Re: UPDATE: Re: REFRESH: EUDORA MAIL 5.1.1"
Maybe in reply to: jeplerat_private: "VNC authentication weakness"
Next in thread: Kragen Sitaker: "Re: VNC authentication weakness"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This weakness has been documented for some time. Most have been
documented in print (Hacking Exposed 3rd edition, pp 539-543,
particularly p542). 

The other issues that haven't been covered off before include:

* NT 4.0 default registry permissions are weak, and allow normal users
to replace the crypted password with one of their own in HKLM.

* Under all versions of VNC, it's not clear when the HKCU version will
be used. The code will quite happily use the one in HKCU (if it exists)
under most circumstances from my own testing. This can be a problem if a
user runs the app version of VNC (requires no special privileges). 

* many of the servers do not adequately check DNS results before doing a
log with a %s format string. (Not normally exploitable - logging is
rarely turned on).

* it may be possible to attack the mini-web server turned on by default.
I've had limited success in looking at this issue because I don't
normally do shellcode (prefer fixing the problem), and thus my limited
l33tness has hampered my exploiting this issue. It's there if you go
through the code. Fairly sure a .. exploit of some form is possible.

So what can be done? TightVNC 1.2.5 for Win32 should have an routine or
two to tighten up registry security on NT platforms (NT 4.0 SP3 and
later), and the location of the password should be moving to the LSA
secrets area.

I've explicitly asked Constantin to turn off the mini-web server by
default (search the tightvnc mail lists back about 8 months). Those
sites that need it, will turn it back on. I've never used it. Don't know
many sites that do. 

But here is a longer term solution: 

I've been working on RFB 4.0 for some time. A major feature is that it
replaces the default authenticator with SRP, ditching the 3DES C/R
completely. The proposal is not complete as yet, but the SRP portion is.
Beyond completing a few things in there in ABNF, the protocol
description is nearly complete. The trick then is to get the currently
active projects to support it. 

If people are interested in reviewing the security of the protocol and
suggest improvements, please do so. 

The PDF can be downloaded from here:
http://www.evilsecurity.com/vnc/

Direct link to the PDF:
http://www.evilsecurity.com/vnc/rfb40-draft6.pdf

Direct link to the Word and Visio source files in case you wish to
provide comments back in a marked up form:
http://www.evilsecurity.com/vnc/rfb.zip 

Remember - this is a draft specification, and beyond a grammar checker
that I have written to test the protocol (more on that to come), it
doesn't actually exist in code form yet.

Thanks,
Andrew van der Stock

Next message: http-equivat_private: "Re: [Full-Disclosure] Re: UPDATE: Re: REFRESH: EUDORA MAIL 5.1.1"
Previous message: http-equivat_private: "Re: [Full-Disclosure] Re: UPDATE: Re: REFRESH: EUDORA MAIL 5.1.1"
Maybe in reply to: jeplerat_private: "VNC authentication weakness"
Next in thread: Kragen Sitaker: "Re: VNC authentication weakness"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 26 2002 - 07:00:48 PDT