RealVNC 4.1.1 Remote Vulnerability
Focus posted in Uncategorized on May 16th, 2006
RealVNC has a remote exploit that allows users to gain full access to the vnc server without a password. In short , during the authentication process the VNC server sends one byte that is equal to the number of security types available to the client. The server then sends the security types offered to the client. The client then selects one of the security levels out of the array and sends it back (1 byte) . However, the RealVNC Server does not check to see if that security level was even offered in the first place. Soooo, if you return say a 01 , which is type 1 which just happens to be security type “None†, bam your in. James Evans wrote a nice little article on it that goes into more detail about the hole. Check it out
May 16th, 2006 at 12:30 pm
Also, you can use metasploit to proxy the connection so you don’t need to use a modified client:
http://metasploit.com/projects/Framework/exploits.html#realvnc_41_bypass
May 16th, 2006 at 3:48 pm
There have been a lot of new exploits integrated into metasploit in the last few days. Any reason for all the activity?