Date: 3 May 2006 06:40:40 -0000
From: gdehanot@...a-global-risk.com
To: bugtraq@...urityfocus.com
Subject: Vulnerability in the way Ultr@...-1.0.1 handles MS-Logon
 Authentication.


AGR IT Advisory
May 2, 2006
AGR-ADV-2006-01

TITLE: Vulnerability in the way Ultr@...-1.0.1 handles MS-Logon Authentication.

Overview

Deon Force discovered a vulnerability in Ultr@VNC 1.0.1 and earlier versions with MS-Logon I and MS-Logon II authentication that may allow attackers to crack the windows password directly from the intercepted challenge response of MS-Logon traffic. This is due to the way Ultr@VNC handle the MS-Logon authentication.

Description

Ultr@VNC (available at http://ultravnc.sourceforge.net/) is a free software that can display the screen of another computer (via internet or network) on your own screen. The program remotely controls the other PC over any TCP/IP connection for administering and support.
While analyzing the MS-Logon authentication of Ultr@VNC, our team had found that it is possible to crack the MS-Logon authentication. It uses a simple algorithm to generate a response from the challenge sent by the VNC server to the VNC client and the username is sent in plain text. 
Our team has made an update to the VNCrackX4 which is capable to crack the intercepted challenge response of the MS-Logon authentication. It is based on the original version of VNCrackX4 from phenoelit available for download at www.phenoelit.de/vnccrack/download.html. The updated version of VNCrackX4 is or will be available at the same location.

Problems

The challenge response authentication process involve insecure and reversible algorithm (XOR).
An attacker can extract the windows password from the intercepted challenge // response.

Impact

Successfully sniffing the authentication session will compromise the windows account used for authentication.
This account can further be used to compromise the system or other system in the same domain or network.

Solution

We recommend not to use MS-Logon authentication method with Ultr@VNC until the algorithms used for authentication are improved.
A workaround to this vulnerability would be to use end-to-end encryption for the communication between the server and the client. Implementing a VPN solution could prevent an attacker from intercepting the session authentication exchange.
Another solution is to use the DSM Plug-in available at http://msrc4plugin.home.comcast.net/index.html provided that the key file is kept secure.

Credit

This vulnerability was discovered and researched by Deon Force. It was first reported to the Ultr@VNC team on 21 April 2006.

Copyright

This document is not to be edited or altered in any way without the express written consent of AGR(B) Sdn. Bhd. If you wish to reprint the whole or any part of this document, please email no_sp@...upport@...a-global-risk.com for permission. You may provide links to this document from your web site, and you may make copies of this document in accordance with international copyright laws. 

Disclaimer

The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About Deon Force

Deon Force is a team of security experts working in collaboration with Asia Global Risk.

About Asia Global Risk

Asia Global Risk is a risk management company providing a wide range of security services, including IT security.
Website: http://www.asia-global-risk.com

Revisions:

Version 0.1 April 21 -2006 – Draft version.
Version 1.0 May 2 -2006 – First Public Version.
An updated version of this document may be found at this address: http://www.asia-global-risk.com/IT/AGR_IT_ADV_2006-01-VNC.pdf

Powered by blists - more mailing lists