sity, Mackenzie Building
1125 Colonel By Drive
Ottawa, Ontario
Canada K1S 5B6
[EMAIL PROTECTED]
===
>
> Date: Wed, 22 May 2002 15:33:28 -0500
> From: Paul Simon <[EMAIL PROTECTED]>
> Subject: RE: Security Risk?
>
> Well I know the VNC d
Well I know the VNC daemon will lock you out (possibly for a time limit??)
after several (maybe 5) bad password attempts...
-Original Message-
From: Shing-Fat Fred Ma [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 22, 2002 11:33 AM
To: [EMAIL PROTECTED]
Subject: Re: Security Risk?
I
PROTECTED]
===
>
> Date: Tue, 21 May 2002 18:31:21 -0400
> From: Glenn Mabbutt <[EMAIL PROTECTED]>
> Subject: RE: Security Risk?
>
> No, these risks and others still exist. If security is a necessity (ie,
> outside of a local network, or even inside one if nosy people exist), o
Is there a place you can point me that shows the vulnerabilities of VNC in
it's current state?
Thanks,
Paul
-Original Message-
From: Glenn Mabbutt [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 21, 2002 4:31 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Security Risk?
No,
No, these risks and others still exist. If security is a necessity (ie,
outside of a local network, or even inside one if nosy people exist), one
normally tunnels the VNC session inside of SSH or Zebedee or other encrypted
tunnel. There are a couple of patches to do NT domain authentication
Am I correct in these three assumptions?
1, this link is talking about the unix version 3.3.3r1
2, this crack is isolated to that specific version
3, vnc in it's current rev, has no known security issues?
http://www.securiteam.com/tools/Brute_forcing_VNC_passwords.html
T
Matthew,
Have a look at the following website:
http://www.smtechnologies.com/downloads.htm
They have a version of VNC that uses NT Authentication, you could use NT's
security to lock account after X attempts.
Thanks
Shola Ogunlokun
IT Email Team
-Original Message-
From: Ma
[ On Monday, May 20, 2002 at 11:09:22 (-0700), Matthew Scholtz wrote: ]
> Subject: VNC security on Win
>
> Hello All,
>
> I'm sure this has been asked a million times before, but since
> there don't seem to be any archives available for this list, I have
>
Well brute force is not a very efficient way of hacking things, unless you
have a very common password.
\Fredrik
> Hello All,
>
> I'm sure this has been asked a million times before, but since there don't
seem to be any archives available for this list, I have no choice but to ask
it again. For
PROTECTED]
Subject: VNC security on Win
Hello All,
I'm sure this has been asked a million times before, but since there don't
seem to be any archives available for this list, I have no choice but to ask
it again. Forgive the redundancy.
My main concern with VNC is the possibility for br
Hello All,
I'm sure this has been asked a million times before, but since there don't seem to be
any archives available for this list, I have no choice but to ask it again. Forgive
the redundancy.
My main concern with VNC is the possibility for brute-force attacks on the password,
since as f
t; <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, 2002-03-11 13:26
Subject: Re: VNC Security (yes... again)
: On Tue, Mar 05, 2002 at 10:49:42AM +0100, Franck Chevalier wrote:
: >
: > Then I created the /HKEY_LOCAL_MACHINE/SOFTWARE/ORL/WINVNC/AuthHosts
key
: > re
On Tue, Mar 05, 2002 at 10:49:42AM +0100, Franck Chevalier wrote:
>
> Then I created the /HKEY_LOCAL_MACHINE/SOFTWARE/ORL/WINVNC/AuthHosts key
> registry with the following value : +999.999.999.999 (where 999.999.999.999
> is my IP) and I kept the
> /HKEY_LOCAL_MACHINE/SOFTWARE/ORL/WINVNC/DEFAU
Hello Andrew,
> "AvdS" == Andrew van der Stock <[EMAIL PROTECTED]> writes:
AvdS> * the inbuilt web server on port 5800 is not necessary for most
AvdS> people, and is a good DoS target (look at code for greater
AvdS> clarity on this risk)
Also, Xvnc's RFB port is an _extremely_ easy targ
On Wed, Mar 06, 2002 at 10:00:14AM -0500, Janyne Kizer wrote:
> What are you thoughts on the security of running from Windows PC ->
> Linux via SSH?
>
> For example, from Windows:
>
> ssh2 -L 5901:my.vnc.server:5900 my.vnc.server -l userid
>
> Then fire up VNC
What are you thoughts on the security of running from Windows PC ->
Linux via SSH?
For example, from Windows:
ssh2 -L 5901:my.vnc.server:5900 my.vnc.server -l userid
Then fire up VNC and connect to localhost:1
Andrew van der Stock wrote:
>
> Mike,
>
> Check out the Foundsto
decent set of VNC weaknesses.
I spoke to a couple of them (George in particular) last year when I
spoke at Blackhat, and they're quite decent guys. Feel free to approach
them.
Current VNC security weaknesses in order of exploitability:
* reversible passwords - there simply is no excuse
Well...
Me again for another question (am I dumb ?)
I tried to grant the VNC access to only 1 IP (mine).
Then I created the /HKEY_LOCAL_MACHINE/SOFTWARE/ORL/WINVNC/AuthHosts key
registry with the following value : +999.999.999.999 (where 999.999.999.999
is my IP) and I kept the
/HKEY_LOCAL_MACH
It works !
Thanx a lot !
Franck
- Original Message -
From: "Alex Angelopoulos" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, March 04, 2002 7:44 PM
Subject: Re: VNC Security ?
> What is the OS of the server? Assuming it's a Windows
> I will be speaking at Rubi Con (http://www.rubi-con.org/) in
> April about
> thin client and remote desktop security. I'll discuss Citrix,
> Tarantella, VNC, the X window system, Windows Terminal Services, and
> possibly some other things.
The best hidden secret in the
I will be speaking at Rubi Con (http://www.rubi-con.org/) in April about
thin client and remote desktop security. I'll discuss Citrix,
Tarantella, VNC, the X window system, Windows Terminal Services, and
possibly some other things.
Firstly, I'd like to invite everyone. If you are
OTECTED]] On Behalf Of Alex
Angelopoulos
Sent: Monday, March 04, 2002 11:44 AM
To: [EMAIL PROTECTED]
Subject: Re: VNC Security ?
What is the OS of the server? Assuming it's a Windows system, the answer
is in the documentation (although I had to have it shoved in my face
before I
noticed...)
- Original Message -
From: "Franck Chevalier" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday/2002 March 04 12.41
Subject: VNC Security ?
: Hi
:
: I'm new on this mailing list then please forgive me if I ask anything
: already discussed here... I'm
Hi
I'm new on this mailing list then please forgive me if I ask anything
already discussed here... I'm french and I'm working as an ingineer for
addeo.com
Well, my problem is that when I'm connected to a server throught VNC, anyone
can come and kick me just by opening a new VNC session.
I'd like
If you can get to a key board you can sniff a hub/switch or un secured router.
This means ANY computer on the network can be used to go sniffing.. You don't
need physical access to the router. That would just make life to easy
Patrick Corneli_en <[EMAIL PROTECTED]> wrote:
> Hello Michael Os
On Fri, Feb 22, 2002 at 10:38:34AM +0100, Patrick Corneli_en wrote:
>
> That's not the problem, the Datatransfer is going through my local hub
> (in my room) and the rest of the house is completely switched, so I
> see no problem here.
> I will use it only from here, not over the internet.
That's
On Thu, Feb 21, 2002 at 07:56:42PM +0100, Patrick Corneli_en wrote:
>
> are there any known security holes in VNC?
> I'd like to use it on my server and the server has a public-static-IP
> adress.
Some would say that VNC _is_ a security hole. The authentication method
look
Hello vnc-list,
are there any known security holes in VNC?
I'd like to use it on my server and the server has a public-static-IP
adress.
--
Bye,
Patrick Cornelissen
http://www.P-C-Software.de
ICQ:15885533
[demime 0.97b removed an attachment of type application/pkcs7-signature whic
l towards
the inside of the network.
Of course this works best if you have only a few users who will
actually need to access VNC from outside, and they are reasonably
competent (if it's you and your staff, that's fairly likely). But
for security you want that anyway.
For max
central concern is ( I consider the
security a part of the management system).
VNC is definitely a "roll your own" style solution, with solutions to
the problems you mention being implemented by network administrators in
a Unixish fashion. The crucial issue is whether you have the
infr
I found that with a simple policy to turn on the screen saver and lock the
workstation works will for a little added security. If someone did get the
VNC password to a machine it would still be fairly secure because the person
conencting to the machine would get the Windows NT login prompt
Hello,
I'm new to this mailing list and I'm a relatively new VNC user. The reason
I am writing is because I am looking for some suggestions and help to see if
VNC is capable of doing some of the security settings that I am looking for.
I work for a fairly large global company
search the mailing list archives - this has come up many times.
-Original Message-
From: Paul Brown [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 29, 2001 4:19 PM
To: [EMAIL PROTECTED]
Subject: Security Problems?
Does anyone know of any security leaks or problems with VNC
Yes "VNCCrack" was mentioned a while back in this list.
-Original Message-
From: Paul Brown [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 29, 2001 4:19 PM
To: [EMAIL PROTECTED]
Subject: Security Problems?
Does anyone know of any security leaks or problems with VNC? Pa
Does anyone know of any security leaks or problems with VNC? Password?
Or Encryption?
Thanks Paul
-
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http
As I understand the logon is secure but after that anybody can see and
hack into the valued computer. Does anybody is using the SSL under W2000
and if anybody does, what is the one and how to use it.
Thank you in advance.
John Ross
-
Glenn
-Original Message-
From: DTT.De.Grave.Johan [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 06, 2001 2:33 AM
To: '[EMAIL PROTECTED]'
Subject: RE: Using vnc as a helpdesc solution : security question !
Andrew,
I guess the beeping during daytime (when the user is not present at h
ew van der Stock [SMTP:[EMAIL PROTECTED]]
Sent: woensdag 4 juli 2001 11:15
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject:Re: Using vnc as a helpdesc solution : security
question !
Would audible beeping every five seconds plus a non-mod
.Johan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 03, 2001 8:00 PM
Subject: Using vnc as a helpdesc solution : security question !
> Hi,
>
> We would like to use vnc as a tool for our helpdesc (and remote
> configurations).
> We would want to be a
AM
To: '[EMAIL PROTECTED]'
Subject: Using vnc as a helpdesc solution : security question !
Hi,
We would like to use vnc as a tool for our helpdesc (and remote
configurations).
We would want to be able to connect to any workstation regardless of whether
the user is present or not :
Hi,
We would like to use vnc as a tool for our helpdesc (and remote
configurations).
We would want to be able to connect to any workstation regardless of whether
the user is present or not :
* During working hours, we would use the vnc connection to assist the
user on his request and of cou
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I have created a list to be used by anyone interested in participating in
the effort to secure VNC. We've begun discussion approaches to accomplish
this, and goals. If you're intersted, please feel free to subscribe. Here
are the details:
- ---
To
]]
> Sent: Thursday, June 14, 2001 7:11 AM
> To: [EMAIL PROTECTED]
> Subject: Re: vnc and security
>
>
> Make sure you supply the parameter:
>
> -encodings "hextile copyrect"
>
> to the vncviewer command at the client. Otherwise, it'll try
> t
t;
To: <[EMAIL PROTECTED]>
Sent: Wednesday, June 13, 2001 6:03 PM
Subject: vnc and security
> Sorry if this has been covered before, but I searched the archives, and
> didn't find anything really relevant.
>
> My company is doing a security audit and installing a security polic
On Wed, Jun 13, 2001 at 11:03:28AM -0600, Jeff Walker wrote:
> Is there something I'm missing, something I can do to make this anywhere
> near the speed of non-ssh?
Have you tried using the new 'tight' encoding? www.tightvnc.com.
Tim.
*/
[demime 0.97b removed an attachment of type application
Sorry if this has been covered before, but I searched the archives, and
didn't find anything really relevant.
My company is doing a security audit and installing a security policy. Vnc
isn't going to be allowed, because the traffic isn't encrypted. I
understand how to fix this,
Ryan P. Casey said:
> From: "Bartel, Matt" <[EMAIL PROTECTED]>
>
> > I am using System Management Technologies' (http://www.smtechnologies.com)
> > version of VNC which provides for Windows NT domain security built native
> > into VNC.Ryan Casey wrote
nday, June 11, 2001 10:29 AM
Subject: System Management Technologies' NT Domain-Security VNC Problem
> Hello!
>
> I am using System Management Technologies' (http://www.smtechnologies.com)
> version of VNC which provides for Windows NT domain security built native
> into V
Hello!
I am using System Management Technologies' (http://www.smtechnologies.com)
version of VNC which provides for Windows NT domain security built native
into VNC.
I am having one problem. After running the server-piece, and trying to
connect with the client-piece, it asks me for my d
Hello!
Has anyone written the code which allows VNC to authenticate based on NT
domain security? I'm sure there are commercial packages which will do this,
but we run VNC to all end users' machines for troubleshooting...we can't
really afford to buy hundreds of copies of such a
>Is there a security setting that prevents users from accessing the VNC
>properties?
Please search the FAQ and archives for the "AllowProperties" registry
setting. This does not involve hiding the icon, it merely disables the
menu. If you *really* need to hide the icon, i
>
>-Original Message-
>From: Tony Do [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, May 09, 2001 11:52 AM
>To: [EMAIL PROTECTED]
>Subject: security
>
>
>Hi
>Is there a registry setting that can hide the VNC icon when the service is
>running?
>
>I
9, 2001 11:52 AM
To: [EMAIL PROTECTED]
Subject: security
Hi
Is there a registry setting that can hide the VNC icon when the service is
running?
I'm trying to prevent users from snooping around and changing the settings.
Is there a security setting that prevents users from accessing the
Hi
Is there a registry setting that can hide the VNC icon when the service is
running?
I'm trying to prevent users from snooping around and changing the settings.
Is there a security setting that prevents users from accessing the VNC
prope
>(Note that there is a bug in the password check code which means that the
>view-only password has to be as long as the 'normal' password.)
This reminds me - I'd better release the bugfixed version sharpish! Was
meaning to do so this time last week, but got bogged down in exams.
---
> Probably a damn silly question,
Don't worry - this is the place for silly questions ;-)
> why can't the server block mouse or keyboard commands from the viewer?
> The control for this is on the viewer side.
> Is there any way (on a MAC) to block viewer desktop control...
I'm not 100% sure I
Bill Spears writes:
>Probably a damn silly question, but why can't the server block mouse
>or keyboard commands from the viewer? The control for this is on the
>viewer side. Is there any way (on a MAC) to block viewer desktop
>control while still allowing viewing?
>Nothing obvious in the document
Probably a damn silly question, but why can't the server block mouse
or keyboard commands from the viewer? The control for this is on the
viewer side. Is there any way (on a MAC) to block viewer desktop
control while still allowing viewing?
Nothing obvious in the documentation or help, so sorry i
> When VNC is running as a service on a windows 2000 machine and another
user is
> logged in
> it is posable for another user to start a new session that is already
logged
> in
> the new session is the same window you get when you login NT security is
by
> passedthe new session
When VNC is running as a service on a windows 2000 machine and another user is
logged in
it is posable for another user to start a new session that is already logged
in
the new session is the same window you get when you login NT security is by
passedthe new session
is a new window like in
>> Unfortunately, VNC does not really support any kind of (enforced)
>> seperation of these two kinds of users. The underlying issue, from a
>> security standpoint, is that VNC doesn't differentiate between
>> authentication and authorization: if you authenticate at
> Unfortunately, VNC does not really support any kind of (enforced)
> seperation of these two kinds of users. The underlying issue, from a
> security standpoint, is that VNC doesn't differentiate between
> authentication and authorization: if you authenticate at all, you'r
Ehud
> On Tue, 20 Mar 2001 11:32:37 +, Mark Rainford <[EMAIL PROTECTED]> wrote:
> >
> > You can try a kind of two level security without any code changes
> >
>
> You can run the slave on a Linux machine without a window manger
> (equivalent to fu
On Tue, 20 Mar 2001 11:32:37 +, Mark Rainford <[EMAIL PROTECTED]> wrote:
>
> You can try a kind of two level security without any code changes by
> simply using two servers in a master-slave arrangement. We use this
> technique to export view only copies of our control
PROTECTED]
Subject: Re: VNCProxy was (VNC security (uhm... maybe a feature request)?)
"Erlichmen, Shay" wrote:
>
> Wow, our company does the same thing, and we discover the VNC is not very
> efficient with multiple connections, so for that propose we wrote
VNCProxy.
> The proxy
"Erlichmen, Shay" wrote:
>
> Wow, our company does the same thing, and we discover the VNC is not very
> efficient with multiple connections, so for that propose we wrote VNCProxy.
> The proxy connects to the VNC server with a single connection and tunnel the
> data stream to its clients. I guess
for it
available soon.
P.S. just thought of it, you can imp the security layer on the proxy it
doesn't have to be on the VNC Server.
Cheers,
Shay
-Original Message-
From: William Yang [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 19, 2001 11:39 PM
To: [EMAIL PROTECTED]
Subject
You can try a kind of two level security without any code changes by
simply using two servers in a master-slave arrangement. We use this
technique to export view only copies of our control room applications.
Here's how it could work for you: the presenter controls one Vnc server
- the &q
>Unfortunately, VNC does not really support any kind of (enforced)
>seperation of these two kinds of users. The underlying issue, from a
>security standpoint, is that VNC doesn't differentiate between
>authentication and authorization: if you authenticate at all, you're
Hello.
I'm a network and security analyst for the OSC (Ohio Supercomputer
Center) in Columbus, Ohio, USA. First off, let me say that I and my
organization generally has been very impressed with the functionality
of VNC. We've been using VNC to share a desktop in seminars -- a
&q
I have an old fix for this on my Win2K box from the time it was last brought
up on BugTraq (search the VNC archives for that discussion). I never really
got around to sending the patch around because this list has a MIME stripper
and I lost interest there for a while.
The fix is simple:
I did an
Hi,
since there are abviously some poeple good at security on this list, I'd
like to ask, if they could point me to some good literature (preferred
online), about implementing security methods, or more specific, user
authentication.
Since we are in the process of developing a completel
Wednesday, January 24, 2001 10:55 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Security issue with WinVNC as service
I've been using VNC for a while, and I have nothing but admiration for
the people who write it - it's a great piece of software. So when the
head of things-te
On Wed, Jan 24, 2001 at 03:55:19PM +, John Ineson wrote:
> P.S. I've just signed up, so sorry if this issue's come up before. I
> have looked at the archives & docs and couldn't find anything.
Take another look. There is a security advisory in the archive that&#
> I now find that (in this, a standard install) the password hash is
> readable to all users, power users and administrators
> (HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3\Default). This astounded me,
> and the other WinVNC users I know.
>
> So, if I'm not mistaken, by default even normal (i.e. only
>
I've been using VNC for a while, and I have nothing but admiration for
the people who write it - it's a great piece of software. So when the
head of things-technical in my School at Uni mentioned that it had
some security problem - something to do with the registry - I was very
su
ass file off list.
John Wilson
The Wilson Partnership
5 Market Hill, Whitchurch, Aylesbury, Bucks HP22 4JB, UK
+44 1296 641072, +44 7976 611010(mobile), +44 1296 641874(fax)
- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: 08 December 2000 22:26
Su
> Someone has installed VNC on several, student owned,
> computers in our Residence Halls without the owner's
> permission or knowledge. These computers are being
> remotely controlled without the owner's permission.
Thank you all for your assistance. I have several good
ideas and should be
Go to the machine, go to a prompt, type
netstat
This will give you a listing of the current connections and the ports they
are connected to.
Look for ports 5800-5900.
This won't do you much good if the attacker is not connected, but win9x/NT
tends to cache recent connections for quite some ti
There is probably a simpler way to do this, but I have run
snort on a PC so it came to mind as a more stealthy solution.
Don Heffernan
- - Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, December 07, 2000 9:47 PM
Subject: Urgent help needed
>Someone has installed VNC on several, student owned,
>computers in our Residence Halls without the owner's
>permission or knowledge. These computers are being
>remotely controlled without the owner's permission.
>
>This is, clearly, something I need to stop. I need to find
>out how I can determ
State
TCPoz1:5900 CNT496:2152ESTABLISHED
Carl Karsten
- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, December 07, 2000 9:47 PM
Subject: Urgent help needed to solve security breech
> Someone has i
Someone has installed VNC on several, student owned,
computers in our Residence Halls without the owner's
permission or knowledge. These computers are being
remotely controlled without the owner's permission.
This is, clearly, something I need to stop. I need to find
out how I can determine
83 matches
Mail list logo
