http://www.roses-labs.com
Discovered and authored by: Conde Vampiro (Roses Labs)

INTRODUCTION

	VNC is a software package that permits a user to view a remote
desktop in real-time.  It's a very nice GNU tool that runs on Windows
(9x/NT) and *nix (Linux, BSD).

	To protect intruder to access the remote desktop, VNC has a
password protection.  This encryption is done using 3DES, but this
encryption is very poor and can be attacked (through brute-force).

PROBLEM ONE

	When we install the VNC server on a Windows box, we can find the
password encrypted at the following registry keys (look for "password"):
	\HKEY_CURRENT_USER\Software\ORL\WinVNC3
  	\HKEY_USERS\.DEFAULT\SOftware\ORL\WinVNC3


	When we introduce a password of arbitrary length, the VNC server
will encrypt our password, but it will drop (null) all bytes after 8.
This is demonstrated here:

	Imput password -> micasaesazul
	Key -> 23 82 107 6 35 78 88 7
	Encrypted password -> 1f f1 6f 1a cc 34 64 f0 

	Imput password -> micasaesroja
        Key -> 23 82 107 6 35 78 88 7
        Encrypted password -> 1f f1 6f 1a cc 34 64 f0

	In both cases, the VNC server interpretted the password as
"micasaes."  Eight characters is small.

  
PROBLEM TWO
	When the VNC server encrypt a password it always uses the same
fixed key, so the output password are always the same. 
For example, if we imput "conde" as password, the output 
password is: df 6b 7e e8 94 26 d8 b5.

	Imput password -> conde
	Key -> 23 82 107 6 35 78 88 7
	Encrypted password -> df 6b 7e e8 94 26 d8 b5	

	Imput password -> 2621
	Key -> 23 82 107 6 35 78 88 7
	Encrypted password -> 73 05 1d 22 49 b6 05 1c

	The VNC server always use this key ("23 82 107 6 35 78 88 7") in
[at least] the current version.

New contributors: Conde Vampiro and Roses Labs (Back to Advisories
Back to the main page