VNC uses a simple challenge/response protocol for password authentication
that is basically secure; implementation bugs that caused problems in the
past have been fixed in the latest VNC releases. However, dictionary attacks
are always possible with challenge/response schemes, so be sure to choose a
good password. The newer releases (3.3.3r9 is current) disallow dictionary
attacks against the VNC server itself by introducing IP lockouts, and
generate better random numbers for challenge nonce.
Another problem is that passwords are limited to 8 characters - everything
after that is discarded. This provides at most 52 bits of security for the
authentication session if it is sniffed and recorded. That's 52 bits
maximum, even if the password is a truly and completely random combination
of the 95 typeable ASCII characters. This is not great security, and could
be brute-force cracked by anyone access to a few hundred machines in a
matter days. There are internet tools available to do this.
The actual remote control session is completely unencrypted, so an attacker
could sniff out the keystrokes and images that pass back and forth with no
effort at all.
Your best bet is to use VNC on a secured, switched LAN, or use VNC only with
a VPN solution like Ipsec that secures all traffic.
-ryan-
:::::::::::::::::::::::::::::
Nothing in life is so exhilirating as to be shot at without result.
-Sir Winston Churchill
-----Original Message-----
From: Paul Done [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 13, 2002 12:23 PM
To: MSWinNT Discussions
Subject: OT: VNC - any security problems
I have heard about for over a year now, but just saw the potential
use(misuse?) for VNC [1]. Other than the obvious loss of total control of a
computer, are there security flaws with VNC?
I am particularly curious about your experience on the following:
Is the password "sniffable" that is required to connect a sessions?
Do you use it on end user machines? How or do you receive their consent /
approval?
Are there any gotchas one might need to be aware of?
Can you scan for the service or otherwise detect it is installed on a
computer?
Thanks for your shared experience,
Paul Done
------
You are subscribed as [email protected]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to [EMAIL PROTECTED]
