RE: VNC Security

["Steve Bostedor" <Steveb () tshore com>]

Thank you for the reply, Alexander.  I understand exactly what you're trying to say.  I'm not sure if you fully 
understand what I was saying and its probably my fault for not making it clear enough.  

You seemed to concentrate on how easy it is to do things with the VNC packets once you've sniffed the packets.  You say 
that you've sniffed the packets before but have you ever sniffed packets from a network outside of your own LAN?  How 
about on your LAN but on another switch port?

What I was trying to discuss is how real the threat is that someone outside of your network will actually get to sniff 
enough of and the correct sequence of your packets to do the things that you where able to do by sniffing the packets 
on your local segment.

You're basically breaking into your own house by using your own keys in the scenario that you provided.  How realistic 
is it for someone in India to sniff my packets going from a server in Detroit, MI to a server in Jackson, MI?  How 
realistic is it for him to actually get usable data?

It's Easy to say that if there's a way into your network, you're insecure but there's a way into your house .. is your 
house insecure?  Is VNC really the low hanging fruit in my scenario.

I know that you all are very specific and technical, so I'll spell out an exact scenario which happens to be the most 
common usage of VNC in companies.
--------
* John Doe is getting an error message on his computer and calls the help desk a city away for help.

* Helpdesk tells John to double-click on the VNC icon on his desktop that starts the server

* Helpdesk connects to Johns computer and takes about 10 minutes to resolve the problem

* Helpdesk person kills the VNC server on the remote computer and the connection is terminated

------- 

I understand that Security is very important but it's also very important to not go Barney Fife and start drawing the 
gun on everything that moves if you get what I mean.  What are the odds that some guy in Florida is going to sniff that 
10 minute session and get into the network?  My answer is 1 in at least 10 million.  

The guy in Florida would have to have already compromised a computer on either of the networks that happened to be 
plugged into a HUB (Not a switch) that either of the computers are plugged into ~OR~ he would have had to hack one of 
the routers close to either one of them to send packets to him as a man in the middle attack of sorts.

Both of these are a bit extreme for VNC data theft, don't you think?  If you do all of that, isn't there a bunch of 
much bigger prizes at your fingertips than VNC data?!  

Now are you starting to see what I'm saying?  The successful exploits that must be done to get someone's VNC packet 
stream would land you access to things far greater than just the VNC data and who would waste the time with VNC data at 
that point?  Go for the gold, you're already in someplace pretty good at that point.

The only EASY way that I know of to sniff someone's packets are to either be on a hub with the remote computers or to 
have a Trojan on one of the computers.  Does someone know of an easy way other than that?  Easier than just hacking 
into the company other ways that do not involve VNC?

- Steve
-----Original Message-----
From: Alexander Bolante [mailto:alexander.bolante () gmail com]
Sent: Tuesday, April 19, 2005 6:25 PM
To: Steve Bostedor
Cc: security-basics () securityfocus com; vnc-list () realvnc com
Subject: Re: VNC Security


IMHO

NOTE:
For obvious reasons that VNC provides remote access to your machine,
Security is key (period). I'm assuming this thread does NOT pertain to
your COMPANY LAN, because if it does, the answer to your question,
"Why should I secure VNC over SSH?" is clearly...SOX compliance...

OTHERWISE:
Bottom line is -- if you DO NOT have any sensitive data to secure,
it's your prerogative to determine what lengths you want to take to
protect that data. Why do I tunnel VNC over SSH? To deal with the
uncertainty of potential security flaws and risks...

(SB wrote) What are the real risks of not securing VNC traffic? It depends...
The only caveat I see in not securing VNC traffic is...network eavesdropping

We already know that all VNC traffic between client and server is
unencrypted after authentication. That's a problem if you're moving
sensitive data. I've used a sniffer on a VNC session before. The
traffic was compressed, so it was still difficult to understand and
breakdown the data from the sniffer, BUT data passed in clear text
e.g. usernames, birthdate, home address, etc. could be useful
***depending on the malicious user's intentions***.

And because we often do NOT know what a malicious user's intentions
are, we mitigate that uncertainty by adding another layer of
security/defense in depth...tunneling VNC over SSH in order to secure
communication and not leave ports open for scanning; using TCP
wrappers to provide access control on a per-IP address basis, etc.


On 4/19/05, Steve Bostedor <Steveb () tshore com> wrote:
> I'd like to know if anyone has any working examples of why an
> unencrypted VNC session over the Internet is seen as such a horrible
> security risk.  I understand that unencrypted ANYTHING over the Internet
> lends the chance for someone to decode the packets (assuming that they
> capture every one of them) but in reality, what are the real risks here
> and has anyone successfully captured a VNC session from more than 2
> router hops away and actually gotten any meaningful information from it?
>
> I've captured a big chunk of a LOCAL session using Ethereal and the only
> thing that I can see that is usable is the password exchange.  Agreed
> that this could be a problem if someone just happened to be sniffing
> your local LAN segment at that exact moment and happened to capture your
> encrypted VNC password, he could crack the password and log in himself.
> But how paranoid is it to go through all of the trouble of setting up
> SSH to avoid that when you could just change your VNC password often and
> make sure that your local LAN is reasonably secure from prying eyes?
>
> How about once it gets out on the Internet?  Packets bounce all over the
> place on the Internet.  What are the odds that someone out there will
> pick your VNC packets out of all of the millions of packets running
> through the back bone routers without being noticed, capture enough of
> them to possibly replay a session, and actually have the patience or the
> tools to do so.  I've scoured the web out of this curiosity, looking for
> a tool to put VNC packets together into something useful for a hacker.
> There's nothing.  Nada.
>
> So, I guess that what I'm asking is; what all of the fuss is about?
> Your POP3 password likely gets passed unencrypted but we're being asked
> to be paranoid about an encrypted VNC password?  This is all coming from
> a discussion that I had with someone over the merits of using SSH with
> VNC over the internet for a 10 minute VNC session.
>
> Does anyone have anything that's not hypothetical?  Is there a tool that
> I'm missing out there that does more than just crack a VNC password?
> Does anyone know of any reported security breaches where VNC was a
> weakness?


-- 
"I know nothing" -- Alexander.Bolante () gmail com