w00giving 99 -5-
| Sommaire de ce dossier |
| Ze advisories |
| Ze linkz |
Discovered and authored by: Conde Vampiro (Roses Labs)
INTRODUCTION
VNC is a software package that permits a user to view a remote
desktop in real-time. It's a very nice GNU tool that runs on Windows
(9x/NT) and *nix (Linux, BSD).
To protect intruder to access the remote desktop, VNC has a
password protection. This encryption is done using 3DES, but this
encryption is very poor and can be attacked (through brute-force).
PROBLEM ONE
When we install the VNC server on a Windows box, we can find the
password encrypted at the following registry keys (look for "password"):
\HKEY_CURRENT_USER\Software\ORL\WinVNC3
\HKEY_USERS\.DEFAULT\SOftware\ORL\WinVNC3
When we introduce a password of arbitrary length, the VNC server
will encrypt our password, but it will drop (null) all bytes after 8.
This is demonstrated here:
Imput password -> micasaesazul
Key -> 23 82 107 6 35 78 88 7
Encrypted password -> 1f f1 6f 1a cc 34 64 f0
Imput password -> micasaesroja
Key -> 23 82 107 6 35 78 88 7
Encrypted password -> 1f f1 6f 1a cc 34 64 f0
In both cases, the VNC server interpretted the password as
"micasaes." Eight characters is small.
PROBLEM TWO
When the VNC server encrypt a password it always uses the same
fixed key, so the output password are always the same.
For example, if we imput "conde" as password, the output
password is: df 6b 7e e8 94 26 d8 b5.
Imput password -> conde
Key -> 23 82 107 6 35 78 88 7
Encrypted password -> df 6b 7e e8 94 26 d8 b5
Imput password -> 2621
Key -> 23 82 107 6 35 78 88 7
Encrypted password -> 73 05 1d 22 49 b6 05 1c
The VNC server always use this key ("23 82 107 6 35 78 88 7") in
[at least] the current version.
New contributors: Conde Vampiro and Roses Labs (http://www.roses-labs.com)