Update (June 2006): We have created a vulnerability testing tool . It is free, and can be downloaded from here
Update 5/12/2006: We contacted the RealVNC team with our findings. They were able to verify the flaw, and release a fix within only a few short hours. I would highly suggest downloading 4.1.2 if you are running RealVNC on any internet facing computers – Steve
In our previous post I discussed a flaw in VNC that we discovered by accident. It essentially allows you to access a host running Real VNC 4 without knowing the password.
I have put together a proof of concept application (VNC Flaw Test). If you visit this page from the server or machine running VNC, it will attempt to connect back and display a snapshot. If it says your safe – then hey your safe. If not, you got to wonder how many million people have this installed and they have a wide open security flaw.
Now it is still possible we are wrong, since every machine we have had the chance to test has been touched by our software. Try it and see if you are vulnerable – and remember you need to browse to the testing page *from* the machine running VNC, and this machine and VNC port has to be accessible from the Internet.
One more thing…Subscribe to my newsletter and get 11 free network administrator tools, plus a 30 page user guide so you can get the most out of them. Click Here to get your free tools