Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: RealVNC Exploits SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
RealVNC Exploits
Given the details of the RealVNC vulnerability that were disclosed this morning (May 15) on Full Disclosure, exploits are now being released.  This note is to alert our readers that the exploit is trivial and very effective.  (In fact, you can modify a VNC client to exploit the vulnerability with very little code changes -- around 1 line.)

Administrators should be scanning their networks for open VNC servers (typically on TCP port 5900).  You want to upgrade any VNC servers that give you protocol above 3.3.  You can use the service detection in nmap to get the protocol number. 

We can't confirm that VNC servers from other projects like TightVNC or UltraVNC are vulnerable - I don't think they are vulnerable.  At this time, it only appears that RealVNC servers are vulnerable.  Unfortunately, there doesn't seem to determine which software the remote end is running.  You only get to see the protocol number.

Unless you like to have unauthorized folks moving your mouse around the screen, you are strongly urged to upgrade to the latest RealVNC release.  Also, you should consider binding the VNC daemon to 127.0.0.1 and tunnelling the VNC traffic through an SSH tunnel, which will provide you with stronger authentication mechanisms.  Google "vnc over ssh" for more detailed instructions on how to accomplish this on your platform of choice.

Kyle

112 Posts

Sign Up for Free or Log In to start participating in the conversation!