Re: [Full-disclosure] Re: RealVNC/WinVNC Multiple vulnerabilities

Can't say I agree that a VNC server implementation should simply refuse
to run in such a mode. There are plenty of situations where you being
able to get to my server implies that I've already suffered a massive
security breach anyway. Under those conditions, I think the "balance"
approach applies: let me use no authentication and maybe I'll use a
half-decent password, or put up with a "real" protection mechanism,
where it really matters. Like how I get in through my firewall, instead
of how I mess around inside it.

Even if this binary is fixed so no-auth isn't possible, if you're
letting your users configure this rather than giving it to them in a
centrally controlled fashion, then perhaps you already have worse
problems, like they can probably install their own software, etc...

Anyway, I guess my point is that it's my humble opinion that you don't
have the right to mandate the security vs. convenience balance for
everyone else.

Just $0.02, obviously,
Cheers,
Simon


--- class <ad@class101.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>  
> > Of course, if you think you know of any viable attacks on VNC
> > servers then feel free to get in touch.
>
> sure I have mailed you a nice list of ip:5900 shomydeskt0p :) funny
> no
> ? good lines ? ;)
>
> > The output that you've included just seems to show that (assuming
> > "passworded" means "was able to guess password") your VNC Servers
> > have been configured with poorly chosen passwords.
>
> passworded mean its passworded , nothing much, my scan doesnt include
> any password brteforce, but it show you how easy it is to scan for
> your app with "No authentications", who is enough crazy thos days to
> add such options ? so easy hacking :)
>
> > > The output that you've included just seems to show that (assuming
> > > "passworded" means "was able to guess password") your VNC
> > > Servers have been configured with poorly chosen passwords.
> >
> >
> >
> >
> >
> > > > -----Original Message----- From: vnc-list-admin@realvnc.com
> > > > [mailto:vnc-list-admin@realvnc.com] On Behalf Of
> > > > class101@phreaker.net Sent: 19 June 2005 15:35 To:
> > > > vnc-list@realvnc.com Cc: Full-Disclosure Subject:
> > > > RealVNC/WinVNC Multiple vulnerabilities
> >
> > > Two simple vulnerabilities wich may lead to an os guess + null
> > > session + several others infos while scanning port 5900, low risk
> > > on paper but high online risk:
> >
> > > My 2cent suggestion to the realvnc team would be to totally
> > > remove this "No Authentication" option wich wasnt present in the
> > > oldold winvnc, and to standardize what is answering all your
> > > servers to restrict the private informations guessing.
> >
> >
> > > quick screenshot( of a simple dfind scanning test on a range that
> > > I thought really secured :>):
> >
> > > ***.7.41:5900 realvnc4 ssl encryption ***.16.83:5900 realvnc4
> > > passworded (free ed. win32) ***.16.91:5900 realvnc4 passworded
> > > (free ed. win32) ***.16.113:5900 realvnc4 passworded (free ed.
> > > win32) ***.16.163:5900 realvnc4 passworded (free ed.
> > > x86/SPARC/HPUX) ***.16.180:5900 realvnc4 passworded (free ed.
> > > x86/SPARC/HPUX) ***.16.202:5900 RealVNC4 NULL Session (free ed.
> > > x86/SPARC/HPUX) ***.16.237:5900 realvnc4 passworded (free ed.
> > > x86/SPARC/HPUX) ***.22.217:5900 realvnc4 passworded (free ed.
> > > x86/SPARC/HPUX) ***.29.91:5900 realvnc4 passworded (free ed.
> > > x86/SPARC/HPUX) ***.29.92:5900 RealVNC4 NULL Session
> > > (perso/enterp ed. win32 encryption:OFF) ***.29.93:5900 realvnc4
> > > passworded (free ed. x86/SPARC/HPUX) ***.29.157:5900 realvnc4
> > > passworded (perso/enterp ed. win32 encryption:OFF)
> > > ***.29.201:5900 realvnc4 passworded (free ed. x86/SPARC/HPUX)
> > > ***.29.234:5900 realvnc4 passworded (free ed. win32)
> > > ***.35.45:5900 realvnc4 passworded (perso/enterp ed. win32
> > > encryption:ON) ***.40.192:5900 RealVNC4 NULL Session
> > > (perso/enterp ed. win32 encryption:ON)
> >
> > > If you are seeking for more informations and you are from
> > > @realvnc.com, email me, or else look at class101.org and
> > > hat-squad.com
> >
> > _______________________________________________ VNC-List mailing
> > list VNC-List@realvnc.com To remove yourself from the list visit:
> > http://www.realvnc.com/mailman/listinfo/vnc-list
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (MingW32)
>  
> iD8DBQFCttl9LyZ8K9aT7rARApBzAJsHl81GPtNFi7tUeNIif8agJO2OoQCZAVjE
> QU7mktxxg1nZbPX+dLKuOqA=
> =gGqf
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/