Roses Labs Security Advisory ---------------------------- Author: Conde Vampiro Date: 10/01/1999. Software: VNC 3.3.2 R6 Platform: Windows 9x, NT (May also affect *nix version) Risk: Poor crypt protection. Possible brute force attack. ------------ Introduction ------------ VNC is software that permits us to view in real time a remote desktop, running a server an a client. Runs over Win 9x, NT and *nix (Linux, BSD). This tool is GNU and is very nice. To protect intruder to access the remote desktop, VNC has a password protection. This encryption is done using Triple-DES (3DES), but this encryption is very poor and we can attack it :) ------ Detail ------ As I say before, VNC use 3DES. When we install the VNC server on a Windows box, we can find the password encrypted at the following registry keys: \HKEY_CURRENT_USER\Software\ORL\WinVNC3 \HKEY_USERS\.DEFAULT\SOftware\ORL\WinVNC3 Where we can find a value call "password", that of course, has the encrypted password of the VNC server. 1- Problem!!! When we introduce a password, we can put all the characters we want, but this is a fake illusion. If we introduce more that 8 characters, the VNC server will encrypt our password, but at the 8 position it will put a "end of line" character (\0) and throw away the rest of characters. Imput password -> micasaesazul Key -> 23 82 107 6 35 78 88 7 Encrypted password -> 1f f1 6f 1a cc 34 64 f0 Imput password -> micasaesroja Key -> 23 82 107 6 35 78 88 7 Encrypted password -> 1f f1 6f cc 34 64 f0 As we can see, the VNC server encrypts both passwords and because it only takes the first 8 characters, both encrypted passwords become the same output result. For both cases the password imput is: Imput password -> micasaes pa[0] = "m" pa[1] = "i" pa[2] = "c" pa[3] = "a" pa[4] = "s" pa[5] = "a" pa[6] = "e" pa[7] = "s" pa[8] = "\0" 8 characters, to few!!! 2- Problem!!! As we see the VNC server will only take the first 8 characters. But here come another security problem. When the VNC server encrypt a password it always use the same fix key, so the output password are always the same. For example, if we imput "conde" as password, the output password is: df 6b 7e e8 94 26 d8 b5. Imput password -> conde Key -> 23 82 107 6 35 78 88 7 Encrypted password -> df 6b 7e e8 94 26 d8 b5 Imput password -> 2621 Key -> 23 82 107 6 35 78 88 7 Encrypted password -> 73 05 1d 22 49 b6 05 1c The VNC server always use this key: 23 82 107 6 35 78 88 7. Well, in this version :) As I say before, is a GNU software so is possible to study the code. Roses Labs / w00w00 http://www.roses-labs.com Advanced Security Research.