Thin client security presentation

Andrew van der Stock ajv "at" greebo.net
Wed, 06 Mar 2002 13:53:34 +0000


Mike,

Check out the Foundstone guys, and in particular the guys who wrote the
particularly poorly titled "Hacking Exposed". In the book, they discuss
in detail all the ins and outs of remote control technology for a
variety of products from pcAnywhere to Terminal Services, including a
decent set of VNC weaknesses. 

I spoke to a couple of them (George in particular) last year when I
spoke at Blackhat, and they're quite decent guys. Feel free to approach
them.

Current VNC security weaknesses in order of exploitability:

* reversible passwords - there simply is no excuse
* MITM attacks 
http://www.securiteam.com/securitynews/5ZP0P1535W.html
* the lack of username and passwords (one factor authentication)
* non-existent registry security on NT
* lack of a protocol tester to prove robustness and interoperability
* running as LOCALSYSTEM on NT presents a huge remote buffer overrun
risk as well as quite a decent local exploit target
* the inbuilt web server on port 5800 is not necessary for most people,
and is a good DoS target (look at code for greater clarity on this risk)
* buffer / heap overflow possible in functions using
VSocket::GetPeerName() and %s expansion (this one is doable, trust me)
* it's probably possible to connect to the same port over and over again
to avoid the inbuilt authentication brute-force limiters. Phoss is a
perfect example of a tool that could be used again if they look
carefully.

The list will probably go on and on. This is one of the reasons I've
been working on and off on RFB 4.0, which basically ditches the RFB
handshake in favor of something cryptographically secure. However,
protocol level weaknesses aside, the backwards compatibility element
plus a load of old code that no one is really going through with a fine
tooth comb presents a boat load of residual risk. 

Good luck with the presentation!

Andrew

-----Original Message-----
From: owner-vnc-list "at" uk.research.att.com
[mailto:owner-vnc-list "at" uk.research.att.com] On Behalf Of Michael Ossmann
Sent: Tuesday, 5 March 2002 10:50 AM
To: vnc-list "at" uk.research.att.com
Subject: Thin client security presentation

I will be speaking at Rubi Con (http://www.rubi-con.org/) in April about
thin client and remote desktop security.  I'll discuss Citrix,
Tarantella, VNC, the X window system, Windows Terminal Services, and
possibly some other things.

Firstly, I'd like to invite everyone.  If you are attending Rubi Con,
I'd love to meet you.

Secondly, I'm gathering information for my presentation.  If you have
any links to security information on VNC or any of the other
technologies, I'd appreciate an email.  I have quite a bit of material
already, but I'd like to fill in as many gaps in my knowledge as
possible before I get bombarded with questions.  :-)

Thanks,

Mike
-- 
Mike Ossmann, Tarantella/UNIX Engineer/Instructor
Alternative Technology, Inc.  http://www.alttech.com/
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------