Revelation

David Bussenschutt D.Bussenschutt "at" mailbox.gu.edu.au
Fri, 23 Oct 1998 00:36:46 +0000


At 15:32 22/10/98 -0700, Duke Senter wrote:
>I guess I'm missing how this applies to any security concerns for VNC.  I
don't see where the password is cached in the form of asterisks to be
viewed/hacked by revelation.  
>
>After you type it in the password box revelation will indeed find it, but
only after someone who knows the password types it in, but before you hit
'ok' to start the session.  If I'm not mistaken, that leaves about a
microsecond between me typing in the password and my hitting OK to start
the session for vulnerability.
>
>Am I missing something?

Yes you are.

If you have the WinVNC Icon in the system tray you double click that to get
the settings. If you don't (or even if you do) then 
start-run- "c:\program files\orl\vnc" -settings 

This has the password:******* which in conjunction with Revelation VOILA!
Shows you your password.

This is particularly an issue for areas such as technical support that have
large numbers of machines with the same password.  One user determines
their own passsword, and they instantly have access to "snoop" on any other
machine/s in their network.

It is a concern to me, and assuch I will be considering removing WinVNC
from my 250 machines until it is fixed.

Oh, for those of you that are interested - Revelation is quite a good
product for what it is intended to do. - I just trialed it, and it works
great. Now I know what the dial-in password is that I'd forgotten about 6
months ago.

David.


>
>Duke Senter
>Network Administrator
>Kittitas County, WA
>
>-----Original Message-----
>From:	tech "at" structurex.net [SMTP:tech "at" structurex.net]
>Sent:	Thursday, October 22, 1998 3:01 PM
>To:	VNC Email List (E-mail)
>Subject:	Revelation
>
>I have no problem with the Revelation tool. I don't allow anyone, including
>me, to use the viewer tool anywhere. Just another app to clutter up a
>system. Most don't even know it even exists. Everyone uses their browser b/c
>most of our network admin tool's are all Web based anyway.
>
>Charles Burton
>Systems Technician A+ MCSE
>Structure (X)
>charles.burton "at" structurex.net
>
>
>
>
>
>
>---------------------------------------------------------------------
>The VNC mailing list     -   see http://www.orl.co.uk/vnc/intouch.html
>---------------------------------------------------------------------
>
>---------------------------------------------------------------------
>The VNC mailing list     -   see http://www.orl.co.uk/vnc/intouch.html
>---------------------------------------------------------------------
>
>

----------------------------------------------------------------
 David Bussenschutt            D.Bussenschutt "at" mailbox.gu.edu.au
 Health Computing Support. (AIS -2.03)    Phone: (07) 3875 5407
 Information Services. Griffith University, Brisbane, Qld., Aust.
----------------------------------------------------------------

---------------------------------------------------------------------
The VNC mailing list     -   see http://www.orl.co.uk/vnc/intouch.html
---------------------------------------------------------------------