RE: VNC Security

From: Joshua Berry (jberry_at_PENSON.COM)
Date: 04/20/05

  • Next message: Kirk Brady: "RE: Hacked (...still cleaning)"
    Date: Tue, 19 Apr 2005 17:42:48 -0500
    To: "Andy Bruce - softwareAB" <andy@softwareab.net>, "Steve Bostedor" <Steveb@tshore.com>
    
    

    To the original poster:

    It is my *opinion* that using VNC should be avoided completely. The
    last time that I used VNC it only support a password, and no user name.
    This leaves only the password to brute-force, considerably lessening the
    time needed to break in. Also, you are making the assumption that
    everyone uses plain text POP, I only use POP over SSL, IMAP over SSL or
    HTTPS to access my email. Also, this is not a good example because POP
    user accounts/passwords only give you someone's email, a VNC password
    will give you full access to the server/desktop it is running on.

    The passwords can be sniffed on your local network or they can be
    sniffed on the network that the server/desktop you are connecting to
    resides on. If this is a critical box, then now anyone that can sniff
    the network can also gain a login to this box to do whatever they want.

    I believe that VNC includes SSL or some other decent means of encryption
    now.

    To the first follow up poster:
    a. Somebody just needs to get the password in that 20 minute
    interchange, which is not too hard if they are only sniffing for X
    sessions. They can just dump that to a file and leave it running until
    it picks something up. Also, you can setup something to probe the box
    on that port, so the next time VNC is enabled they can login. I am
    curious how you would notice someone sniffing the network? I only see
    this as being possible if the host was running linux/unix and forwarding
    their syslogs to you, so that you could see when a NIC entered
    promiscuous mode.

    Lastly:
    I have seen several VNC exploits available over the years, so this is
    just a whole new service that you are exposing to risk that you often
    don't need to (because if it is Linux you have SSH, and if it is a
    windows box you have Terminal Services)

    -----Original Message-----
    From: Andy Bruce - softwareAB [mailto:andy@softwareab.net]
    Sent: Tuesday, April 19, 2005 7:55 AM
    To: Steve Bostedor
    Cc: security-basics@securityfocus.com; vnc-list@realvnc.com
    Subject: Re: VNC Security

    This is a very interesting question to me. In my own case, I do have SSH

    setup thru Cygwin (http://www.cygwin.com/) for my local network and I
    use VNC thru that connection when I need to manage my own stuff
    remotely. However, I have to admit that when I use VNC to aid remote
    clients (which happens quite frequently) I don't worry about encryption
    whatsoever.

    FWIW, here's my approach:

    1. I don't even try to explain setting up an SSH daemon to them. I
    simply have them install the VNC server in user-mode and start it.

    2. If I can't explain to them in 5 min or less how to do port
    forwarding, I just have them connect directly to their cable/dsl modem.

    3. Get the debugging and/or support done.

    4. Have them stop the VNC server. Since it isn't running as a service,
    it won't start up next time and so won't be a security risk.

    5. Tell them to turn off port forwarding from the router (if they could
    grok it), or just have them connect their PC back to the router and
    their router back to the cable/dsl modem. In either case, 5900 isn't
    available to the outside world so there's no risk even if they were
    running VNC in service-mode.

    I have to agree with Steve that this is, for all practical purposes, a
    non-existent security risk. The only things that could go wrong:

    a. "Somebody" is sniffing the packet stream while the VNC passwords are
    being exchanged, and, during that 20 minute interchange, cracks the
    password and logs onto the VNC server. Of course, we would notice this
    problem on both ends!

    b. I have never captured the data shared between client and server
    (screen/UI deltas) and so have no idea if these pose a security risk or
    not.

    c. While the VNC server is running and they are connected to the
    internet (port forwarding has the same problem as direct connect) a port

    sniffer detects that 5900 is available and immediately zooms in thru
    some VNC security hole. Wez would know a lot more about this possibility

    than me, though!

    Am I missing something here?

    Steve Bostedor wrote:

    >I'd like to know if anyone has any working examples of why an
    >unencrypted VNC session over the Internet is seen as such a horrible
    >security risk. I understand that unencrypted ANYTHING over the
    Internet
    >lends the chance for someone to decode the packets (assuming that they
    >capture every one of them) but in reality, what are the real risks here
    >and has anyone successfully captured a VNC session from more than 2
    >router hops away and actually gotten any meaningful information from
    it?
    >
    >I've captured a big chunk of a LOCAL session using Ethereal and the
    only
    >thing that I can see that is usable is the password exchange. Agreed
    >that this could be a problem if someone just happened to be sniffing
    >your local LAN segment at that exact moment and happened to capture
    your
    >encrypted VNC password, he could crack the password and log in himself.
    >But how paranoid is it to go through all of the trouble of setting up
    >SSH to avoid that when you could just change your VNC password often
    and
    >make sure that your local LAN is reasonably secure from prying eyes?
    >
    >How about once it gets out on the Internet? Packets bounce all over
    the
    >place on the Internet. What are the odds that someone out there will
    >pick your VNC packets out of all of the millions of packets running
    >through the back bone routers without being noticed, capture enough of
    >them to possibly replay a session, and actually have the patience or
    the
    >tools to do so. I've scoured the web out of this curiosity, looking
    for
    >a tool to put VNC packets together into something useful for a hacker.
    >There's nothing. Nada.
    >
    >So, I guess that what I'm asking is; what all of the fuss is about?
    >Your POP3 password likely gets passed unencrypted but we're being asked
    >to be paranoid about an encrypted VNC password? This is all coming
    from
    >a discussion that I had with someone over the merits of using SSH with
    >VNC over the internet for a 10 minute VNC session.
    >
    >Does anyone have anything that's not hypothetical? Is there a tool
    that
    >I'm missing out there that does more than just crack a VNC password?
    >Does anyone know of any reported security breaches where VNC was a
    >weakness?
    >_______________________________________________
    >VNC-List mailing list
    >VNC-List@realvnc.com
    >To remove yourself from the list visit:
    >http://www.realvnc.com/mailman/listinfo/vnc-list
    >
    >
    >
    >


  • Next message: Kirk Brady: "RE: Hacked (...still cleaning)"

    Relevant Pages

    • Re: VNC Security
      ... VNC by itself is a ... An easier way is to use a secure VNC server that supports ... Internet to begin with. ... >>capture every one of them) but in reality, what are the real risks here ...
      (Security-Basics)
    • RE: VNC Security
      ... Subject: VNC Security ... It is my *opinion* that using VNC should be avoided completely. ... Have them stop the VNC server. ... it won't start up next time and so won't be a security risk. ...
      (Security-Basics)
    • RE: VNC Security
      ... the extra step to ensure their security. ... I believe that VNC has support for encryption ... it won't start up next time and so won't be a security risk. ...
      (Security-Basics)
    • Re: Best way to Remotely Diagnose
      ... past the firewall (you'll have to do this with any program you use, ... including VNC which typically uses 5900 by the way). ... security risk in doing this ... You can close it down remotely to render it safe though. ...
      (alt.sys.pc-clone.dell)
    • How did they get past my NAT?
      ... kicked in on my VNC server - my desktop background image disappeared ... this point I panicked and shutdown the VNC service ASAP. ... My question is how the attacker got to my VNC port! ... the internet through the router. ...
      (comp.security.firewalls)