Security issue with WinVNC as service

Wed, 24 Jan 2001 08:06:28 -0800 

I've been using VNC for a while, and I have nothing but admiration for
the people who write it - it's a great piece of software. So when the
head of things-technical in my School at Uni mentioned that it had
some security problem - something to do with the registry - I was very
surprised. I looked into it, and it turns out he was referring to the
weak encryption of passwords, which isn't really a problem... for app
mode anyhow. I did notice something about WinVNC as a service that I
found worrying.

On my W2K box I have WinVNC installed as a service, as recommended.
Only I know the password, so I figured it was secure - I could use it
for remote access, administration, and helping people out, but nobody
else could mess with it.

I now find that (in this, a standard install) the password hash is
readable to all users, power users and administrators
(HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3\Default). This astounded me,
and the other WinVNC users I know.

So, if I'm not mistaken, by default even normal (i.e. only
semi-trusted) users could potentially log in, read the hash and
extract the password. Therafter they could both spy on and interfere
with other users' sessions. And as soon as an Administrator went AFK,
the box would be as good as own3d.

I'm sure almost everybody here knows about VNC than I do, so perhaps
you could tell me - is this all:

a. Blindingly obvious to everyone else
b. Not actually a problem, 'cos I'm muddled in some way
c. Something that should be documented and/or changed

I'd appreciate any thoughts, because this seems like a serious problem
to me, yet I can't see how it could have gone unnoticed. I guess my
money's on option b   8-)

Best wishes,

J

P.S. I've just signed up, so sorry if this issue's come up before. I
have looked at the archives & docs and couldn't find anything.
P.P.S. I just read the newsgroup discussion. I'd say as a total newbie
I'm not entitled to a vote, but I'd like to cast the vote I don't have
wholly in favour of newsgroups rather than mailing lists  8-)
--
John G Ineson
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------

Reply via email to