Re: VNC authentication weakness

[Jack Lloyd <lloyd () acm jhu edu>]

On Wed, 24 Jul 2002 jepler () unpythonic net wrote:

> If your server will give the same challenge repeatedly, and you can
> sniff somebody else's challenge and response, it appears that you could
> authenticate without knowing the password simply by connecting within
> the 1-second window to get the same challenge, and then send the same
> response as the legitimate client.
>
> Another weakness in the challenge is that it uses 'random()%256'.  Many
> implementations of random() have highly predictable low bits.  It's not
> clear that this leads to as easy a compromise as the repeated challenge
> problem, but it's something that warrants consideration..

While looking at this, I noticed (in 3.3.3r2) that VNC seems to use the
password directly as a key to DES (truncating if the size is > 8 and
padding with NULL if it's < 8). Since DES ignores the low bit of each byte
of the key, this seems to mean that there are many different passwords
which will be accepted in place of the "real" password. (Can someone
confirm this is actually the case?)

Between that and the fact that challenges are based only on time(0) [ie you
can easily precompute every possible challenge the VNC server would send
out over the next week], it _may be a bad idea to rely on VNC's built in
authentication.

Regards,
 Jack