RE: VNC Security

["Steve Bostedor" <Steveb () tshore com>]

No, there is no built in encryption for the free VNC builds.  UltraVNC
attempts to use a DSM plug-in but it doesn't always work right. 

Lazy?  Like not reading the response to Alexander? ;)  You seem to be
still operating under the same assumptions.


> -----Original Message-----
> From: Joshua Berry [mailto:jberry () PENSON COM] 
> Sent: Wednesday, April 20, 2005 9:41 AM
> To: Steve Bostedor; Andy Bruce - softwareAB
> Cc: security-basics () securityfocus com; vnc-list () realvnc com
> Subject: RE: VNC Security
>
>
> Just because some people and applications perform things 
> insecurely does not mean that you should or have to do so.  
> VNC allows full GUI access to a box, FTP, POP3, IMAP, etc do 
> not.  And yes, I do not use FTP, I use SSH SFTP because it is 
> secure.  I would hope that people on a security mailing list 
> attempt to do things more securely.
>
> This sounds like an issue of laziness, someone that doesn't 
> want to take the extra step to ensure their (or customers) 
> security.  Where I work this would be a huge problem because 
> of different regulations requiring data encryption.  Besides, 
> I believe that VNC has support for encryption now and if so 
> there is definitely no reason to not utilize that support.
>
> -----Original Message-----
> From: Steve Bostedor [mailto:Steveb () tshore com] 
> Sent: Tuesday, April 19, 2005 8:03 PM
> To: Joshua Berry; Andy Bruce - softwareAB
> Cc: security-basics () securityfocus com; vnc-list () realvnc com
> Subject: RE: VNC Security
>
> Joshua, Please see my reply to Alexander.  It addresses some 
> of what you said here.  I disagree that VNC should be avoided 
> completely, though. It's not THAT insecure!  I will go out on 
> a limb and say that about 90% of the pop3 users in the world 
> use plain text passwords.  Encrypted passwords aren't really 
> that common and most ISP's don't require that home users 
> encrypt their passwords.  
>
> Do you use FTP?  Maybe you tripple encrypt your FTP data or 
> just avoid FTP completely just like VNC, but I'll go out on a 
> limb again and guess that at least 95% of FTP users in the 
> world send the username and password in plain text and 
> unencrypted.  I'll also guess that at least 30% of them use 
> the same username and password for their FTP account as they 
> do for numerous other functions.  Maybe even their encrypted 
> Pop3 account. ;)
>
> The reply to Alexander explains my question further.  
>
>
> -----Original Message-----
> From: Joshua Berry [mailto:jberry () PENSON COM]
> Sent: Tuesday, April 19, 2005 6:43 PM
> To: Andy Bruce - softwareAB; Steve Bostedor
> Cc: security-basics () securityfocus com; vnc-list () realvnc com
> Subject: RE: VNC Security
>
>
> To the original poster:
>
> It is my *opinion* that using VNC should be avoided 
> completely.  The last time that I used VNC it only support a 
> password, and no user name. This leaves only the password to 
> brute-force, considerably lessening the time needed to break 
> in.  Also, you are making the assumption that everyone uses 
> plain text POP, I only use POP over SSL, IMAP over SSL or 
> HTTPS to access my email.  Also, this is not a good example 
> because POP user accounts/passwords only give you someone's 
> email, a VNC password will give you full access to the 
> server/desktop it is running on.
>
> The passwords can be sniffed on your local network or they 
> can be sniffed on the network that the server/desktop you are 
> connecting to resides on.  If this is a critical box, then 
> now anyone that can sniff the network can also gain a login 
> to this box to do whatever they want.
>
> I believe that VNC includes SSL or some other decent means of 
> encryption now.
>
> To the first follow up poster:
> a. Somebody just needs to get the password in that 20 minute 
> interchange, which is not too hard if they are only sniffing 
> for X sessions.  They can just dump that to a file and leave 
> it running until it picks something up.  Also, you can setup 
> something to probe the box on that port, so the next time VNC 
> is enabled they can login.  I am curious how you would notice 
> someone sniffing the network?  I only see this as being 
> possible if the host was running linux/unix and forwarding 
> their syslogs to you, so that you could see when a NIC 
> entered promiscuous mode.
>
> Lastly:
> I have seen several VNC exploits available over the years, so 
> this is just a whole new service that you are exposing to 
> risk that you often don't need to (because if it is Linux you 
> have SSH, and if it is a windows box you have Terminal Services)
>
>
> -----Original Message-----
> From: Andy Bruce - softwareAB [mailto:andy () softwareab net] 
> Sent: Tuesday, April 19, 2005 7:55 AM
> To: Steve Bostedor
> Cc: security-basics () securityfocus com; vnc-list () realvnc com
> Subject: Re: VNC Security
>
> This is a very interesting question to me. In my own case, I 
> do have SSH
>
> setup thru Cygwin (http://www.cygwin.com/) for my local network and I 
> use VNC thru that connection when I need to manage my own stuff 
> remotely. However, I have to admit that when I use VNC to aid remote 
> clients (which happens quite frequently) I don't worry about 
> encryption 
> whatsoever.
>
> FWIW, here's my approach:
>
> 1. I don't even try to explain setting up an SSH daemon to them. I 
> simply have them install the VNC server in user-mode and start it.
>
> 2. If I can't explain to them in 5 min or less how to do port 
> forwarding, I just have them connect directly to their 
> cable/dsl modem.
>
> 3. Get the debugging and/or support done.
>
> 4. Have them stop the VNC server. Since it isn't running as a 
> service, 
> it won't start up next time and so won't be a security risk.
>
> 5. Tell them to turn off port forwarding from the router (if 
> they could 
> grok it), or just have them connect their PC back to the router and 
> their router back to the cable/dsl modem. In either case, 5900 isn't 
> available to the outside world so there's no risk even if they were 
> running VNC in service-mode.
>
> I have to agree with Steve that this is, for all practical 
> purposes, a 
> non-existent security risk. The only things that could go wrong:
>
> a. "Somebody" is sniffing the packet stream while the VNC 
> passwords are 
> being exchanged, and, during that 20 minute interchange, cracks the 
> password and logs onto the VNC server. Of course, we would 
> notice this 
> problem on both ends!
>
> b. I have never captured the data shared between client and server 
> (screen/UI deltas) and so have no idea if these pose a 
> security risk or not.
>
> c. While the VNC server is running and they are connected to the 
> internet (port forwarding has the same problem as direct 
> connect) a port
>
> sniffer detects that 5900 is available and immediately zooms in thru 
> some VNC security hole. Wez would know a lot more about this 
> possibility
>
> than me, though!
>
> Am I missing something here?
>
> Steve Bostedor wrote:
>
> > I'd like to know if anyone has any working examples of why an 
> > unencrypted VNC session over the Internet is seen as such a horrible 
> > security risk.  I understand that unencrypted ANYTHING over the
> Internet
> > lends the chance for someone to decode the packets (assuming 
> that they 
> > capture every one of them) but in reality, what are the real 
> risks here 
> > and has anyone successfully captured a VNC session from more than 2 
> > router hops away and actually gotten any meaningful information from
> it?
> > I've captured a big chunk of a LOCAL session using Ethereal and the
> only
> > thing that I can see that is usable is the password 
> exchange.  Agreed 
> > that this could be a problem if someone just happened to be sniffing 
> > your local LAN segment at that exact moment and happened to capture
> your
> > encrypted VNC password, he could crack the password and log 
> in himself. 
> > But how paranoid is it to go through all of the trouble of 
> setting up 
> > SSH to avoid that when you could just change your VNC password often
> and
> > make sure that your local LAN is reasonably secure from prying eyes?
> >
> > How about once it gets out on the Internet?  Packets bounce all over
> the
> > place on the Internet.  What are the odds that someone out 
> there will 
> > pick your VNC packets out of all of the millions of packets running 
> > through the back bone routers without being noticed, capture 
> enough of 
> > them to possibly replay a session, and actually have the patience or
> the
> > tools to do so.  I've scoured the web out of this curiosity, looking
> for
> > a tool to put VNC packets together into something useful for 
> a hacker. 
> > There's nothing.  Nada.
> >
> > So, I guess that what I'm asking is; what all of the fuss is about? 
> > Your POP3 password likely gets passed unencrypted but we're 
> being asked 
> > to be paranoid about an encrypted VNC password?  This is all coming
> from
> > a discussion that I had with someone over the merits of 
> using SSH with 
> > VNC over the internet for a 10 minute VNC session.
> >
> > Does anyone have anything that's not hypothetical?  Is there a tool
> that
> > I'm missing out there that does more than just crack a VNC password? 
> > Does anyone know of any reported security breaches where VNC was a 
> > weakness?
> > _______________________________________________
> > VNC-List mailing list
> > VNC-List () realvnc com
> > To remove yourself from the list visit:
> > http://www.realvnc.com/mailman/listinfo/vnc-list
> >
> >
> >