Re: VNC Security

[Mark Owen <mr.markowen () gmail com>]

The fuss is about leaving any holes open at all.  VNC by itself is a
fairly secure program and the odds of someone outside your LAN
capturing your password is very unlikely.  However it is possible.  If
their is a million VNC servers on the Internet and their is a
one-in-a-million shot that enough packets could be sniffed to capture
a password...well better safe then sorry.  I'd rather have to go
through the trouble of setting up a secure connection than have to
make a special trip to who knows where to recover that comprimised
computer.  An easier way is to use a secure VNC server that supports
encryption.  RealVNC Enterprise[1] supports 2048-bit encrypted
authentication and 128-bit encrypted sessions.  Overall though, I'd be
more concerned about having the VNC server on the default port on the
Internet to begin with.  Brute force applications like THC-Hydra[2]
are designed to crack passwords on VNC.  Thankfully most VNC servers
will automatically disconnect a user after 3 failed attempts.

[1]  http://www.realvnc.com/download.html
[2]  http://thc.org/thc-hydra/


On 4/19/05, Andy Bruce - softwareAB <andy () softwareab net> wrote:
> This is a very interesting question to me. In my own case, I do have SSH
> setup thru Cygwin (http://www.cygwin.com/) for my local network and I
> use VNC thru that connection when I need to manage my own stuff
> remotely. However, I have to admit that when I use VNC to aid remote
> clients (which happens quite frequently) I don't worry about encryption
> whatsoever.
>
> FWIW, here's my approach:
>
> 1. I don't even try to explain setting up an SSH daemon to them. I
> simply have them install the VNC server in user-mode and start it.
>
> 2. If I can't explain to them in 5 min or less how to do port
> forwarding, I just have them connect directly to their cable/dsl modem.
>
> 3. Get the debugging and/or support done.
>
> 4. Have them stop the VNC server. Since it isn't running as a service,
> it won't start up next time and so won't be a security risk.
>
> 5. Tell them to turn off port forwarding from the router (if they could
> grok it), or just have them connect their PC back to the router and
> their router back to the cable/dsl modem. In either case, 5900 isn't
> available to the outside world so there's no risk even if they were
> running VNC in service-mode.
>
> I have to agree with Steve that this is, for all practical purposes, a
> non-existent security risk. The only things that could go wrong:
>
> a. "Somebody" is sniffing the packet stream while the VNC passwords are
> being exchanged, and, during that 20 minute interchange, cracks the
> password and logs onto the VNC server. Of course, we would notice this
> problem on both ends!
>
> b. I have never captured the data shared between client and server
> (screen/UI deltas) and so have no idea if these pose a security risk or not.
>
> c. While the VNC server is running and they are connected to the
> internet (port forwarding has the same problem as direct connect) a port
> sniffer detects that 5900 is available and immediately zooms in thru
> some VNC security hole. Wez would know a lot more about this possibility
> than me, though!
>
> Am I missing something here?
>
> Steve Bostedor wrote:
>
> > I'd like to know if anyone has any working examples of why an
> > unencrypted VNC session over the Internet is seen as such a horrible
> > security risk.  I understand that unencrypted ANYTHING over the Internet
> > lends the chance for someone to decode the packets (assuming that they
> > capture every one of them) but in reality, what are the real risks here
> > and has anyone successfully captured a VNC session from more than 2
> > router hops away and actually gotten any meaningful information from it?
> >
> > I've captured a big chunk of a LOCAL session using Ethereal and the only
> > thing that I can see that is usable is the password exchange.  Agreed
> > that this could be a problem if someone just happened to be sniffing
> > your local LAN segment at that exact moment and happened to capture your
> > encrypted VNC password, he could crack the password and log in himself.
> > But how paranoid is it to go through all of the trouble of setting up
> > SSH to avoid that when you could just change your VNC password often and
> > make sure that your local LAN is reasonably secure from prying eyes?
> >
> > How about once it gets out on the Internet?  Packets bounce all over the
> > place on the Internet.  What are the odds that someone out there will
> > pick your VNC packets out of all of the millions of packets running
> > through the back bone routers without being noticed, capture enough of
> > them to possibly replay a session, and actually have the patience or the
> > tools to do so.  I've scoured the web out of this curiosity, looking for
> > a tool to put VNC packets together into something useful for a hacker.
> > There's nothing.  Nada.
> >
> > So, I guess that what I'm asking is; what all of the fuss is about?
> > Your POP3 password likely gets passed unencrypted but we're being asked
> > to be paranoid about an encrypted VNC password?  This is all coming from
> > a discussion that I had with someone over the merits of using SSH with
> > VNC over the internet for a 10 minute VNC session.
> >
> > Does anyone have anything that's not hypothetical?  Is there a tool that
> > I'm missing out there that does more than just crack a VNC password?
> > Does anyone know of any reported security breaches where VNC was a
> > weakness?
> > _______________________________________________
> > VNC-List mailing list
> > VNC-List () realvnc com
> > To remove yourself from the list visit:
> > http://www.realvnc.com/mailman/listinfo/vnc-list


-- 
Mark Owen