Mike, Check out the Foundstone guys, and in particular the guys who wrote the particularly poorly titled "Hacking Exposed". In the book, they discuss in detail all the ins and outs of remote control technology for a variety of products from pcAnywhere to Terminal Services, including a decent set of VNC weaknesses.
I spoke to a couple of them (George in particular) last year when I spoke at Blackhat, and they're quite decent guys. Feel free to approach them. Current VNC security weaknesses in order of exploitability: * reversible passwords - there simply is no excuse * MITM attacks http://www.securiteam.com/securitynews/5ZP0P1535W.html * the lack of username and passwords (one factor authentication) * non-existent registry security on NT * lack of a protocol tester to prove robustness and interoperability * running as LOCALSYSTEM on NT presents a huge remote buffer overrun risk as well as quite a decent local exploit target * the inbuilt web server on port 5800 is not necessary for most people, and is a good DoS target (look at code for greater clarity on this risk) * buffer / heap overflow possible in functions using VSocket::GetPeerName() and %s expansion (this one is doable, trust me) * it's probably possible to connect to the same port over and over again to avoid the inbuilt authentication brute-force limiters. Phoss is a perfect example of a tool that could be used again if they look carefully. The list will probably go on and on. This is one of the reasons I've been working on and off on RFB 4.0, which basically ditches the RFB handshake in favor of something cryptographically secure. However, protocol level weaknesses aside, the backwards compatibility element plus a load of old code that no one is really going through with a fine tooth comb presents a boat load of residual risk. Good luck with the presentation! Andrew -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Michael Ossmann Sent: Tuesday, 5 March 2002 10:50 AM To: [EMAIL PROTECTED] Subject: Thin client security presentation I will be speaking at Rubi Con (http://www.rubi-con.org/) in April about thin client and remote desktop security. I'll discuss Citrix, Tarantella, VNC, the X window system, Windows Terminal Services, and possibly some other things. Firstly, I'd like to invite everyone. If you are attending Rubi Con, I'd love to meet you. Secondly, I'm gathering information for my presentation. If you have any links to security information on VNC or any of the other technologies, I'd appreciate an email. I have quite a bit of material already, but I'd like to fill in as many gaps in my knowledge as possible before I get bombarded with questions. :-) Thanks, Mike -- Mike Ossmann, Tarantella/UNIX Engineer/Instructor Alternative Technology, Inc. http://www.alttech.com/ --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html --------------------------------------------------------------------- --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html ---------------------------------------------------------------------
