VNC "man in the middle" attack
W. Brian Blevins
brian.blevins@tridia.com
Tue Dec 3 14:56:01 2002
Robert,
While I have not reviewed the 3.3.4 code myself, I believe that this
attack is possible with any release that correctly implements the current
VNC authentication mechanism outside of a secure tunnel. This includes
our TridiaVNC distribution.
TridiaVNC Pro includes built-in SSL/TLS encryption that will prevent
this type of attack:
http://www.tridiavncpro.com/
Brian
> Message: 10
> To: vnc-list@realvnc.com
> Subject: VNC "man in the middle" attack
> From: Robert_Bunker@cchcs.org
> Date: Mon, 2 Dec 2002 14:25:42 -0500
>
> Is RealVNC's WinVNC 3.3.4 still susceptible to this attack?
>
> http://www.securiteam.com/exploits/6S0040A6AW.html
>
> http://www.iss.net/security_center/static/5992.php
>
> If so, is any newer version not susceptible to this attack?
>
> If all versions of RealVNC/WinVNC are susceptible to this attack is there
> another flavor of VNC that is not?
>
> I cannot setup a tunnel / use SSH in my current situation so this attack
> presents possible a problem.
>
> Thanks.
--
Brian
----------------------------------------------------------------------------
TridiaVNC Pro: finally, affordable remote control!
http://www.TridiaVNCPro.com/
----------------------------------------------------------------------------
Tridia's Mission: To always exceed our customers' expectations by
providing
the absolute best software products backed by outstanding technical
support
and customer service. Please let us know how we are doing:
brian . blevins @ tridia.com or ceo-hotline @ tridia.com.