September 20th, 2014

RealVNC 4.1.1 Remote Vulnerability

RealVNC has a remote exploit that allows users to gain full access to the vnc server without a password. In short , during the authentication process the VNC server sends one byte that is equal to the number of security types available to the client. The server then sends the security types offered to the client. The client then selects one of the security levels out of the array and sends it back (1 byte) . However, the RealVNC Server does not check to see if that security level was even offered in the first place. Soooo, if you return say a 01 , which is type 1 which just happens to be security type “None” , bam your in. James Evans wrote a nice little article on it that goes into more detail about the hole. Check it out

Leave a Response

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS