Message-ID: <42B6CD9D.304@phreaker.net>
Date: Mon Jun 20 15:11:09 2005
From: class101 at phreaker.net (class101@...eaker.net)
Subject: Re: RealVNC/WinVNC Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 

"RealVNC4 NULL Session" mean "no authentication" and there is tons of
vnc using this UNsecured option.

as in my scan Radmin21 NULL Session mean also "no authentication" ,
but they removed it in radmin22, do the same, because in some days,

isc sans is gonna cry on 5900 :)





there is no ssl ? well I have used what is returning many vnc on the
internet, and on somes I got:



"RFB 103 006

the connection could not be established because SSL 3.0/TLS 1.0
encryption is required"



prolly a mod from your src code, anyway thanx for letting me know :)


James Weatherall a ?crit :

> "Class101",
>
> VNC has always provided the option to operate without requiring
> authentication, there is no such thing as a "RealVNC4 NULL
> Session", and VNC has never used SSL encryption, so I'm afraid it
> sounds like someone's been telling you porkies!
>
> The output that you've included just seems to show that (assuming
> "passworded" means "was able to guess password") your VNC Servers
> have been configured with poorly chosen passwords.
>
> Of course, if you think you know of any viable attacks on VNC
> servers then feel free to get in touch.
>
> Cheers,
>
> Wez @ RealVNC Ltd.
>
>
>> -----Original Message----- From: vnc-list-admin@...lvnc.com
>> [mailto:vnc-list-admin@...lvnc.com] On Behalf Of
>> class101@...eaker.net Sent: 19 June 2005 15:35 To:
>> vnc-list@...lvnc.com Cc: Full-Disclosure Subject: RealVNC/WinVNC
>> Multiple vulnerabilities
>>

> Two simple vulnerabilities wich may lead to an os guess + null
> session + several others infos while scanning port 5900, low risk
> on paper but high online risk:
>
> My 2cent suggestion to the realvnc team would be to totally remove
> this "No Authentication" option wich wasnt present in the oldold
> winvnc, and to standardize what is answering all your servers to
> restrict the private informations guessing.
>
>
> quick screenshot( of a simple dfind scanning test on a range that I
> thought really secured :>):
>
> ***.7.41:5900 realvnc4 ssl encryption ***.16.83:5900 realvnc4
> passworded (free ed. win32) ***.16.91:5900 realvnc4 passworded
> (free ed. win32) ***.16.113:5900 realvnc4 passworded (free ed.
> win32) ***.16.163:5900 realvnc4 passworded (free ed.
> x86/SPARC/HPUX) ***.16.180:5900 realvnc4 passworded (free ed.
> x86/SPARC/HPUX) ***.16.202:5900 RealVNC4 NULL Session (free ed.
> x86/SPARC/HPUX) ***.16.237:5900 realvnc4 passworded (free ed.
> x86/SPARC/HPUX) ***.22.217:5900 realvnc4 passworded (free ed.
> x86/SPARC/HPUX) ***.29.91:5900 realvnc4 passworded (free ed.
> x86/SPARC/HPUX) ***.29.92:5900 RealVNC4 NULL Session
> (perso/enterp ed. win32 encryption:OFF) ***.29.93:5900 realvnc4
> passworded (free ed. x86/SPARC/HPUX) ***.29.157:5900 realvnc4
> passworded (perso/enterp ed. win32 encryption:OFF) ***.29.201:5900
> realvnc4 passworded (free ed. x86/SPARC/HPUX) ***.29.234:5900
> realvnc4 passworded (free ed. win32) ***.35.45:5900 realvnc4
> passworded (perso/enterp ed. win32 encryption:ON) ***.40.192:5900
> RealVNC4 NULL Session (perso/enterp ed. win32 encryption:ON)
>
> If you are seeking for more informations and you are from
> @realvnc.com, email me, or else look at class101.org and
> hat-squad.com
>
_______________________________________________
VNC-List mailing list
VNC-List@...lvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
 
iD8DBQFCts2YLyZ8K9aT7rARAjCQAJ9U+WkUZhmhu8y5PMy+Z2i5BdSq1ACgrBtJ
QJyzlyB5AvLPXnhJ/a/9SPw=
=Ueg2
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists