|
|
VNC Flaw - Proof of concept
Update (June 2006): We have created a vulnerability testing tool . It is free, and can be downloaded from here
Update 5/12/2006: We contacted the RealVNC team with our findings. They were able to verify the flaw, and release a fix within only a few short hours. I would highly suggest downloading 4.1.2 if you are running RealVNC on any internet facing computers - Steve
In our previous post I discussed a flaw in VNC that we discovered by accident. It essentially allows you to access a host running Real VNC 4 without knowing the password.
I have put together a proof of concept web application. If you visit this page from the server or machine running VNC, it will attempt to connect back and display a snapshot. If it says your safe - then hey your safe. If not, you got to wonder how many million people have this installed and they have a wide open security flaw.
Now it is still possible we are wrong, since every machine we have had the chance to test has been touched by our software. Try it and see if you are vulnerable - and remember you need to browse to the testing page *from* the machine running VNC, and this machine and VNC port has to be accessible from the Internet.
Posted By: Steve Wiseman on Wednesday, May 10, 2006
Check out our administration tools for windows
How to setup a logon script on your Windows 2000/2003 Active Directory Network
We are still looking through our code to find the reason for the flaw in VNC 4 - we will keep you updated as we find more.
On to another question. It may be easy for some of you, but setting up a logon script in active directory is not always that simple. Lets walk through setting one up.
First, open "Active Directory Users and Computers" on the domain controller
Now right click on the user you want to have the logon script and select the properties menu.
A properties dialog like the one shown below will appear. Select the 'Profile' Tab
Here is the confusing part. If I just put any old batch file name in the logon script field, where does windows try to find it from?
Lets find out. First, type in this field 'logon.bat'
Click OK.
Now, we need to find the folder where the server loads logon scripts. It follows this format:
\\(SERVERNAME)\sysvol\(DOMAIN NAME)\scripts
So, if my server was named DCServer1, and my domain was intelliadmin.com, we would browse to this path:
\\DCServer1\sysvol\intelliadmin.com\scripts
Now that we know where to put it, creating the script is easy. Just open up notepad, and write your batch file. For our test batch file we will put in a line that loads our profile generator for Microsoft Outlook XP
We are done with the script, so we save the text file as:
\\DCServer1\sysvol\intelliadmin.com\scripts\logon.bat
Now, the next time this user logs in, they will load the login script.
Posted By: Steve Wiseman on Wednesday, May 10, 2006
Check out our administration tools for windows
Security flaw in RealVNC 4.1.1
Update (June 2006): We have created a vulnerability testing tool . It is free, and can be downloaded from here
Update (05/10/2006) - We have contacted the RealVNC team. Quickly they released a new version that fixed the security issue. If you are running WinVNC 4.1.1 I suggest you get to www.realvnc.com today and update your software.
Update (05/08/2006) - We have installed RealVNC 4.1.1 on as many fresh computers as possible. We wanted to make sure this is a real problem - indeed it is. Every single time we were able to access the machine without a valid password. We are still trying to see what is different about our viewer that exposes this flaw.
We are currently developing a new product that would allow users to remotely install VNC, and manage current VNC installations.
Our viewer is totally 100% new code that we created from the VNC spec and not from the open source Real VNC source tree.
I got a big surprise today when I was testing the viewer code: I was able to view the remote machine without the proper password!
It had to be some type of mistake, so I installed Real VNC 4.1.1 on a test machine:
I set the password to a really huge value that I could not have possibly left in our code by accident. Got back on the development machine and clicked connect:
Instantly I had a view of the remote machine!
I started to wonder how widespread this flaw was so I downloaded TightVNC, and UltraVNC. They are immune. Both of them reject my connection right away.
Then I downloaded RealVNC 4.0 and installed it on another fresh test machine. Same thing as Tight and Ultra - I get disconnected right away.
So it looks like a flaw is in the current RealVNC 4.1.1 authentication process. I am not going to give any clues as to what it is until I can figure it out totally, and promptly let the RealVNC team know so they can resolve the issue.
Please note that I have only tested this on the windows versions of the above software.
Posted By: Steve Wiseman on Monday, May 08, 2006
Check out our administration tools for windows
Reboot computers on your network
We just released a new version of our freeware remote reboot utility. It is a replacement for one we have had on our site for quite some time now. We added the ability to manually pick a hostname, and pick alternate credentials
No extra dlls, or .net runtimes are required. It just runs without any installation, and can be downloaded from our site. As always no spyware, adware - Just freeware goodness.
Requires at least Windows 2000.
Posted By: Steve Wiseman on Sunday, May 07, 2006
Check out our administration tools for windows
|
 |
