Ray:
Good questions:
1. AFAIK, the VNC password login is a challenge/response style.
So the challenge, and the response, can be sniffed, but not
the plaintext password directly. The Phoss app (you can find
it at http://www.phenoelit.de/phoss/) can be used to attack
this handshake.
2. Correct, the su password could be sniffed in your example.
3. Correct, Win98 and earlier have no permission controls.
Though, arguably, WinNT doesn't either: you can examine the
registry for the ciphertext of VNC passwords that may
connect you to accounts you otherwise don't have access to.
Win2k and up adds better registry security (or so I'm told).
Of course, no encrypted tunneling of VNC "fixes" this.
In closing, I agree: using VNC over the Internet is
best done using an encrypted tunnel and judicious use of
AuthHosts and perhaps even LoopbackOnly. And of course a LEAF
firewall. :)
cheers,
Scott
On Thu, 21 Mar 2002, Ray Olszewski wrote:
> Thanks for posting a nice overview, Scott. Though I've used vnc a bit, I've
> only used it on a small, safe LAN, so I haven't looked at the security
> issues closely before. I wonder if you could clarify a couple of things.
>
> First, when you write ...
>
> >
> >3. Unlike telnet and others, the connection password is not sent
> > entirely in clear text.
>
> ... what does the qualifier "entirely" signify? Can the VNC password be
> sniffed or not?
>
> Second, once you are connected, my understanding is that the connection
> itself is unencrypted. So, to pick the troubling example, if you are
> connected as someuser, and you su to root in an xterm window, the root
> password travels in the clear. Am I wrong in any of this understanding?
>
> Third, the concept of being logged in as a particular user has meaning for
> Linux and newer versions of Windows. But not older versions of Windoes, such
> as Win98, which has no real premissions controls.
>
> These considerations all say to me that if you use VNC over the Internet,
> you should do it through a well-encrypted tunnel. (I'd say the same thing
> for other remote-control apps as well, of course, unless they have good,
> built-in encryption. Generally, I think even most sysadmins are too trusting
> ... but then, I always thought Fox Mulder was too trusting of the
> cigarette-smoking man too).
>
> At 09:26 PM 3/21/02 +0000, Scott C. Best wrote:
> >
> > Some quick feedback to the security-conscious hyperbole
> >about VNC that's flown across the list recently. In my experience,
> >it's not exactly true that VNC has "very little" in the way of
> >security. Some features it has (and I've used):
> [details deleted]
>
>
> --
> ------------------------------------"Never tell me the odds!"---
> Ray Olszewski -- Han Solo
> Palo Alto, CA [EMAIL PROTECTED]
> ----------------------------------------------------------------
>
>
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
