VNC zlib Advisory draft 1

Jonathan Morton chromi "at" cyberspace.org
Thu, 14 Mar 2002 14:25:15 +0000


>Sure it's possible to authenticate against a nasty server if they have
>discovered your password.

A rogue server could ask for a password, send a challenge, and then 
ignore the response and just let you in, and then set up the exploit 
on the viewer.  It wouldn't even need to send you through to the 
original server - it would appear as though the VNC client had 
crashed, and the human response time to *that* is probably long 
enough for a backdoor to be set up through the hole.  I'm no expert 
on security, but I do know how fast computers can work.

-- 
--------------------------------------------------------------
from:     Jonathan "Chromatix" Morton
mail:     chromi "at" cyberspace.org  (not for attachments)
website:  http://www.chromatix.uklinux.net/
geekcode: GCS$/E dpu(!) s:- a21 C+++ UL++ P L+++ E W+ N- o? K? w--- O-- M++$
           V? PS PE- Y+ PGP++ t- 5- X- R !tv b++ DI+++ D G e+ h+ r++ y+(*)
tagline:  The key to knowledge is not to rely on people to teach you it.
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------