RealVNC Exploits, Bleeding Snort Signature

Published: 2006-05-16
Last Updated: 2006-05-16 21:53:42 UTC
by Kyle Haugsness (Version: 2)
0 comment(s)
Update: Matt Jonkman posted some signatures to bleeding snort that identifies the exploit attempt.  Matt reports good success with these so far.  I'll do some testing with them tomorrow.  http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/EXPLOIT/EXPLOIT_RealVNC?view=markup

Given the details of the RealVNC vulnerability that were disclosed this morning (May 15) on Full Disclosure, exploits are now being released.  This note is to alert our readers that the exploit is trivial and very effective.  (In fact, you can modify a VNC client to exploit the vulnerability with very little code changes -- around 1 line.)

Administrators should be scanning their networks for open VNC servers (typically on TCP port 5900).  You want to upgrade any VNC servers that give you protocol above 3.3.  You can use the service detection in nmap to get the protocol number. 

We can't confirm that VNC servers from other projects like TightVNC or UltraVNC are vulnerable - I don't think they are vulnerable.  At this time, it only appears that RealVNC servers are vulnerable.  Unfortunately, there doesn't seem to determine which software the remote end is running.  You only get to see the protocol number.

Unless you like to have unauthorized folks moving your mouse around the screen, you are strongly urged to upgrade to the latest RealVNC release.  Also, you should consider binding the VNC daemon to 127.0.0.1 and tunnelling the VNC traffic through an SSH tunnel, which will provide you with stronger authentication mechanisms.  Google "vnc over ssh" for more detailed instructions on how to accomplish this on your platform of choice.

Keywords:
0 comment(s)

Comments


Diary Archives