RealVNC Security Flaw

Jorge L. Vizcarralagos jorge "at" icstech.org
Wed Jun 7 10:17:27 2006


> Darkman wrote:
> I let my norton expire for a few days, and noiced in my event viewer 
> anumber of connections to VNC from various other countries. however I 
> didn't notice the icon turning black as it would in a conneciton mode. 
> so I was wondering if I am being connected to, via some trojan. I did 
> a scan today after updating norton and found one trojan and one or two 
> other website deposited remote access files....
> anyone ever see conneciton instances in their event logs? 

      Earlier this year I reported an incident in this listserv where I 
was holding a demo on ways to use VNC to connect to other systems. It 
was actually part of an two day Internet security lecture. I was using a 
personal computer at home as the server. I set it up in the morning and 
since I knew that the the RealVNC was still exposed to the  after the 
demo I turn it off remotely.  I was tied up the rest of the day and my 
wife unknowingly turned my computer on. Sure enough, right when I sat 
down to look at my computer  someone had  been connected using my VNC 
just a few seconds earlier.  I un-installed the vnc server and the 
person had no time to do anything.  I had noticed that even while I was 
doing the demo there were connection attempts at the RealVNC ports in 
the event viewer that were not mine.  Later I discovered that they were 
most likely hackers from parts of Europe and the US looking for 
vulnerable  networks and VNC connections. Eventually one of them guessed 
the weak password (or at least I hope that's what it was). To answer 
your question it would seem that this occurs quite commonly and I have 
demonstrated this by exposing an old laptop an open Internet connection 
and recording the various connection attempts in an unrecommended 
environment. However this is well known and has been going on for 
sometime. The thing that really got my attention was when the 
vulnerability was discovered it only took about a two days before I saw 
some forums with good guesses of what the vulnerability was and how it 
could be exploited and later someone send me a post from someone who 
explained in detail what it was. For some reason news of the 
vulnerability spread fast among hackers and at a rate that would put 
Microsoft vulnerabilities to shame, but it's not as widespread as 
Microsoft's problems yet. Most of this is due to the patch that came 
about a day later to fix it (I like to see Microsoft move that fast). 
This will make a good argument to introduce an automatic update feature 
to all VNC programs and perhaps a way to detect and notify the user of 
unsafe conditions. Anyway I can't wait to see what happens it seems 
unlikely that everyone will know to upgrade their 4.1.1 realvnc before 
something bad happens that, if the press gets involved, will spell doom 
for VNC's in general.

Jorge