VNC zlib Advisory draft 1
Jonathan Morton
chromi "at" cyberspace.org
Thu, 14 Mar 2002 14:25:15 +0000
>Sure it's possible to authenticate against a nasty server if they have
>discovered your password.
A rogue server could ask for a password, send a challenge, and then
ignore the response and just let you in, and then set up the exploit
on the viewer. It wouldn't even need to send you through to the
original server - it would appear as though the VNC client had
crashed, and the human response time to *that* is probably long
enough for a backdoor to be set up through the hole. I'm no expert
on security, but I do know how fast computers can work.
--
--------------------------------------------------------------
from: Jonathan "Chromatix" Morton
mail: chromi "at" cyberspace.org (not for attachments)
website: http://www.chromatix.uklinux.net/
geekcode: GCS$/E dpu(!) s:- a21 C+++ UL++ P L+++ E W+ N- o? K? w--- O-- M++$
V? PS PE- Y+ PGP++ t- 5- X- R !tv b++ DI+++ D G e+ h+ r++ y+(*)
tagline: The key to knowledge is not to rely on people to teach you it.
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------