VNC Security

Erik Soderquist esoderquist "at" mcstamp.com
Mon May 2 23:24:00 2005 

alternative method: you have listening viewer available to the internet
when helping someone, someone installs VNC (in 3.3.7 if you don't put a
password in, it refuses incoming connections) and adds you as a client.
no VNC password is even needed at that point, and the server is never
exposed to the internet if it is behind a NAT router. (also saves the
port forwarding troubles) 

-----Original Message-----
From: vnc-list-admin "at" realvnc.com [mailto:vnc-list-admin "at" realvnc.com] On
Behalf Of Andy Bruce - softwareAB
Sent: Monday, April 25, 2005 19:47
To: Mike Miller
Cc: Steve Bostedor; security-basics "at" securityfocus.com; VNC List
Subject: Re: VNC Security

First--I believe we're talking apples and oranges. VNC is not an 
appropriate solution for a true corporate network unless a firewall and 
a secure link is available (and even then is dodgy). My scenario is
this:

  a. Random user in cyberspace has a problem.

  b. User installs VNC under direction of tech support:
      i. strong password
      ii. not installed as service
      iii. temporary port forwarding only

  c. User allows remote person to login, generally for 20-30 mins.

  d. User stops VNC server process and disables port forwarding

My point was that, for all practical purposes, this scenario has zero 
risk. Let's talk about what happens if an attacker does happen to be 
watching data packets and does manage to break the password during that 
session:

1. The attacker is still subject to limitations of the VNC data 
protocol. For the attacker to gain real hidden control, he would have to

have the VNC server software accept his own third-party program via 
remote copy and execute.

2. Unless the attacker had that type of attack, he would have access 
only to mucking with the primary (zero) desktop in Windows, so no danger

of a hidden desktop there. (VNC simply doesn't support anything other 
than primary desktop, as my remote users with Fast User Switching have 
found to their chagrin.) To take control of the situation, the hijacker 
would have to send keyboard/mouse commands to that desktop to activate 
some process during the hijack process. Therefore, I most certainly 
would notice it. The only exception is if the attacker simply mucked 
with the Windows registry, perhaps to navigate to a tainted Web site 
upon next login. That's a larger issue than whether VNC is secure.

3. As stated above, I explicitly instruct my users not to install VNC as

a service, and then to stop the server process when we're done (and then

turn off port forwarding). So, even if the attacker did get into the 
machine and cause a password reset--it won't help. The VNC service won't

be running when the user next boots the machine. And if it was running, 
the port forwarding and Windows firewall would prevent the attacker from

getting access to it again.

Only Wez and the user community can let me know if there are any 
security flaws in VNC that allow the remote system to execute physical 
programs simply based on passed data packets commands. I was under the 
impression that the only way that the VNC client executes programs is by

sending keystrokes/mouse clicks to the remote system. (In other words, 
no type of "exec" function built into the protocol.) Therefore, the VNC 
server itself isn't ever executing any software via API calls--instead, 
VNC simply passes keyboard/mouse input to the OS and it's the OS that's 
does the execution. And the user is watching the desktop on at least one

side of the connection.

So--while the effort to trap/break in to a VNC server may be well worth 
the effort for a corporate network with access to a rich mine of data, 
in my example it doesn't apply.

Andy

Mike Miller wrote:

> On Tue, 19 Apr 2005, Andy Bruce - softwareAB wrote:
>
>> I have to agree with Steve that this is, for all practical purposes, 
>> a non-existent security risk. The only things that could go wrong:
>>
>> a. "Somebody" is sniffing the packet stream while the VNC passwords 
>> are being exchanged, and, during that 20 minute interchange, cracks 
>> the password and logs onto the VNC server. Of course, we would notice

>> this problem on both ends!
>
>
>
> I don't know if it is possible to crack the VNC password, but I don't 
> agree that you would necessarily notice this on both ends.  If the 
> attacker were to log into the session when you weren't using it, he 
> could then make some changes to your system (for Windows) that would 
> allow him more access to your machine later.  If you were using 
> Windows he could start up another VNC desktop that you might not 
> notice, and he could use a different password if he wanted to (by 
> copying the vnc password file, changing the password, and copying it 
> back).
>
> I hope that it is hard to crack the passwords.  I think it is hard to 
> do it but I'd like to hear more about that.
>
> Mike
> _______________________________________________
> VNC-List mailing list
> VNC-List "at" realvnc.com
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list
_______________________________________________
VNC-List mailing list
VNC-List "at" realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list