http://www.roses-labs.com Discovered and authored by: Conde Vampiro (Roses Labs) INTRODUCTION VNC is a software package that permits a user to view a remote desktop in real-time. It's a very nice GNU tool that runs on Windows (9x/NT) and *nix (Linux, BSD). To protect intruder to access the remote desktop, VNC has a password protection. This encryption is done using 3DES, but this encryption is very poor and can be attacked (through brute-force). PROBLEM ONE When we install the VNC server on a Windows box, we can find the password encrypted at the following registry keys (look for "password"): \HKEY_CURRENT_USER\Software\ORL\WinVNC3 \HKEY_USERS\.DEFAULT\SOftware\ORL\WinVNC3 When we introduce a password of arbitrary length, the VNC server will encrypt our password, but it will drop (null) all bytes after 8. This is demonstrated here: Imput password -> micasaesazul Key -> 23 82 107 6 35 78 88 7 Encrypted password -> 1f f1 6f 1a cc 34 64 f0 Imput password -> micasaesroja Key -> 23 82 107 6 35 78 88 7 Encrypted password -> 1f f1 6f 1a cc 34 64 f0 In both cases, the VNC server interpretted the password as "micasaes." Eight characters is small. PROBLEM TWO When the VNC server encrypt a password it always uses the same fixed key, so the output password are always the same. For example, if we imput "conde" as password, the output password is: df 6b 7e e8 94 26 d8 b5. Imput password -> conde Key -> 23 82 107 6 35 78 88 7 Encrypted password -> df 6b 7e e8 94 26 d8 b5 Imput password -> 2621 Key -> 23 82 107 6 35 78 88 7 Encrypted password -> 73 05 1d 22 49 b6 05 1c The VNC server always use this key ("23 82 107 6 35 78 88 7") in [at least] the current version. New contributors: Conde Vampiro and Roses Labs (Back to Advisories Back to the main page