Thin client security presentation

Janyne Kizer janyne_kizer "at"
Wed, 06 Mar 2002 15:01:41 +0000

What are you thoughts on the security of running from Windows PC ->
Linux via SSH?  

For example, from Windows:

ssh2 -L 5901:my.vnc.server:5900 my.vnc.server -l userid

Then fire up VNC and connect to localhost:1

Andrew van der Stock wrote:
> Mike,
> Check out the Foundstone guys, and in particular the guys who wrote the
> particularly poorly titled "Hacking Exposed". In the book, they discuss
> in detail all the ins and outs of remote control technology for a
> variety of products from pcAnywhere to Terminal Services, including a
> decent set of VNC weaknesses.
> I spoke to a couple of them (George in particular) last year when I
> spoke at Blackhat, and they're quite decent guys. Feel free to approach
> them.
> Current VNC security weaknesses in order of exploitability:
> * reversible passwords - there simply is no excuse
> * MITM attacks
> * the lack of username and passwords (one factor authentication)
> * non-existent registry security on NT
> * lack of a protocol tester to prove robustness and interoperability
> * running as LOCALSYSTEM on NT presents a huge remote buffer overrun
> risk as well as quite a decent local exploit target
> * the inbuilt web server on port 5800 is not necessary for most people,
> and is a good DoS target (look at code for greater clarity on this risk)
> * buffer / heap overflow possible in functions using
> VSocket::GetPeerName() and %s expansion (this one is doable, trust me)
> * it's probably possible to connect to the same port over and over again
> to avoid the inbuilt authentication brute-force limiters. Phoss is a
> perfect example of a tool that could be used again if they look
> carefully.
> The list will probably go on and on. This is one of the reasons I've
> been working on and off on RFB 4.0, which basically ditches the RFB
> handshake in favor of something cryptographically secure. However,
> protocol level weaknesses aside, the backwards compatibility element
> plus a load of old code that no one is really going through with a fine
> tooth comb presents a boat load of residual risk.
> Good luck with the presentation!
> Andrew
> -----Original Message-----
> From: owner-vnc-list "at"
> [mailto:owner-vnc-list "at"] On Behalf Of Michael Ossmann
> Sent: Tuesday, 5 March 2002 10:50 AM
> To: vnc-list "at"
> Subject: Thin client security presentation
> I will be speaking at Rubi Con ( in April about
> thin client and remote desktop security.  I'll discuss Citrix,
> Tarantella, VNC, the X window system, Windows Terminal Services, and
> possibly some other things.
> Firstly, I'd like to invite everyone.  If you are attending Rubi Con,
> I'd love to meet you.
> Secondly, I'm gathering information for my presentation.  If you have
> any links to security information on VNC or any of the other
> technologies, I'd appreciate an email.  I have quite a bit of material
> already, but I'd like to fill in as many gaps in my knowledge as
> possible before I get bombarded with questions.  :-)
> Thanks,
> Mike
> --
> Mike Ossmann, Tarantella/UNIX Engineer/Instructor
> Alternative Technology, Inc.
> ---------------------------------------------------------------------
> To unsubscribe, mail majordomo "at" with the line:
> 'unsubscribe vnc-list' in the message BODY
> See also:
> ---------------------------------------------------------------------
> ---------------------------------------------------------------------
> To unsubscribe, mail majordomo "at" with the line:
> 'unsubscribe vnc-list' in the message BODY
> See also:
> ---------------------------------------------------------------------


Janyne Kizer
CNE-3, CNE-4, CNE-5
Systems Programmer Administrator I
NC State University, College of Agriculture & Life Sciences
Extension and Administrative Technology Services
Phone: (919) 515-3609
To unsubscribe, mail majordomo "at" with the line:
'unsubscribe vnc-list' in the message BODY
See also: