There are really two security issues. One involves preventing unauthorized access to the system console/desktop. The availability of shatter (via VNC or other input dialogs) raises the severity of a system access compromise, but it is only one of many, many reasons to control access successfully.
TridiaVNC Pro does a good job of addressing the network access control problem, along with providing other features: http://www.tridiavncpro.com/ The second issue is the use of the shatter methods through VNC dialogs by the person who is actually present and using the system where VNC is running. This is the issue addressed in my previous post. The first issue was not missed. It has been present, discussed at length on this forum, understood by many users and addressed in various ways for quite some time. Brian "Reimer, Fred" wrote: > > I think everyone is missing the point. It doesn't matter if VNC is the > application that one uses the shatter attack on or not. The point is that > VNC, or any remote access program as pointed out, effectively gives the same > ability of being physically present at the server. You can cut-and-paste > ploit code over the VNC session and use the shatter attack on ANOTHER > program, such as a virus detection program as documented in the shatter > attack. > > Yes, it is important to fix any possibility of using the shatter attack on > VNC itself, but the real danger is using VNC as a method to use the shatter > attack on another program. > > I'd suggest that another effort be started to provide strong authentication > for VNC. We have RSA Security ACE/Servers and I'm hoping to one day use the > included API to write SecurID authentication into VNC. It would certainly > give it a benefit over other access methods... > > - Fred > > -----Original Message----- > From: W. Brian Blevins [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, August 21, 2002 9:13 AM > To: [EMAIL PROTECTED]; Tridia Developer List > Subject: Shatter after ImpersonateLoggedOnUser()?: RE: "shatter" > vulnerability > > When properly configured, the WinVNC.exe process is notified via > MENU_SERVICEHELPER_MSG that a new user has logged in. This causes the > thread processing the windows messages for the trayicon and hidden > window to call vncService:ProcessUserHelperMessage(). Eventually, > this window message processing thread impersonates the user via > ImpersonateLoggedOnUser(). > > What I do not understand is how the same thread that is calling > ImpersonateLoggedOnUser() can be attacked through the shatter methods > to obtain LocalSystem access. If this is what is really happening, > then there would appear to be other problems in the Win32 security API > as well. Does anyone know how or why that thread would still be > vulnerable to a shatter attack after calling ImpersonateLoggedOnUser()? > > > Message: 12 > > From: "EXT-Bellers, Chris" <[EMAIL PROTECTED]> > > To: "Scott C. Best" <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > > Cc: "EXT-Bellers, Chris" <[EMAIL PROTECTED]> > > Subject: RE: "shatter" vulnerability > > Date: Thu, 15 Aug 2002 18:29:27 -0500 > > Reply-To: [EMAIL PROTECTED] > > > > Scott et al: > > > > Well, the problem with the shatter attack is that any interactive service > > running as LocalSystem that have user-interactive windows are problematic. > > MS's official policy on the issue is "don't make any interactive > services", > > or make them interact with the user within a different security context, > > like the window you get when you hit Ctl-Alt-Delete on NT/2K/XP > > > > > > The scenario that I foresee is this: > > > > 1 Computer has VNC installed. > > 2 User has guest-level or otherwise restricted access to machine. > > 3 User logs in, and uses attack to gain LocalSystem access via the problem > > with VNC. > > > > I consider this a VNC problem because the machine isn't vulnerable in this > > case without VNC installed. > > > > The vulnerability in the article is much like sprintf() is for UNIX and C. > > It's something that developers will need to be aware of, and they'll have > to > > write around it, and not write programs that utilize privileged services > > that directly interact with the desktop. > > > > How that will ultimately effect the development of VNC or its derivatives, > I > > do not know; IANAP, merely a IT grunt trying to keep my boxen as secure as > > possible. > > > > I suspect that there will have to be a privilege separation effort to > > eliminate this problem, much as Symantec will have to separate how Norton > AV > > functions at the service level. I don't know enough about win32 to offer > any > > speculation about how that will occur, though. > > > > Hope this helps clarify > > sincerely > > > > Chris Bellers 314.233.7181 > > OSA System Administrator > > Phantom Works, Boeing > > > > PS FYI, I still plan on posting to Bugtraq and some of the other lists by > > 17:00 CDT 21 August 2002. > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > From: Scott C. Best [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, August 15, 2002 6:04 PM > > To: [EMAIL PROTECTED] > > Cc: [EMAIL PROTECTED] > > Subject: Re: "shatter" vulnerability > > > > > > Chris: > > > > Heya. While I agree that the 'shatter' attack is something > > every user should bring to Microsoft's attention (which I can see > > in your email headers that you did), at the same time I don't > > consider it a VNC problem. <duck> > > > > Shatter, as I understand it, goes after the Win32 API > > itself which just about *every* application piece of software on > > Windows uses. The example you point to in the tombom reference > > uses McAfee VirusScan if I recall. Anything that uses a WinAPI > > popup can be exploited to run arbitrary code at the privilege > > of that popup. Also, you need to have access to the machine. So > > a user *could* VNC into your machine running as guest and use this > > exploit to become administrator. But in my mind, VNC security > > "stops" at controlling who can become guest. > > > > Or perhaps I'm misunderstanding you: are you suggesting > > that there are Windows and message boxes that WinVNC uses that > > could be recoded to use custom popups, rather than WinAPI windows > > which can be attacked with malicious messaging? wxWindows perhaps? > > > > cheers, > > Scott > > > > > I recently tested the current vnc release (v3.3.3 R9) against the win32 > > > 'shatter' attacks recently referenced on many security mailing lists, > and > > > found that I can indeed obtain LocalSystem privileges using the same > > > methods. > > > > > > I'm sure that most of the readers of most security lists and the vnc > lists > > > hold no illusions about the security provided by vnc, but this is > > > regrettably something that falls outside the bounds of the typical > > > cipher-strength and challenge problems. > > > > > > I'll post to the usual security forums in a week unless otherwise > > directed. > > > > > > References: > > > http://security.tombom.co.uk/shatter.html > > > > > > Thanks in advance > > > > > > Sincerely, > > > > > > Chris Bellers > > > OSA System Administrator > > > Phantom Works, Boeing > > > > -- > Brian -- Brian ---------------------------------------------------------------------------- TridiaVNC Pro: finally, affordable remote control! http://www.TridiaVNCPro.com/ ---------------------------------------------------------------------------- Tridia's Mission: To always exceed our customers' expectations by providing the absolute best software products backed by outstanding technical support and customer service. Please let us know how we are doing: brian . blevins @ tridia.com or ceo-hotline @ tridia.com. _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
