No - it's a challenge/response, and normally this is good enough for most
internal networks. I'm sure the people working on the inital go of RFB auth
#2 were probably thinking it was secure, but getting crypto stuff right is
Hard(tm).
The problem is the passwords are stored at the server end, with every server
using the same reversible encryption mechanism (otherwise the C/R wouldn't
work). On Win9x and NT 4.0, the registry security is so weak that it's
possible to remotely retrieve the 8 bytes that form the password, decrypt
them, et voila. A local user of any Win32 platform is able to do this attack
without administrative permissions.
See the following for a current list of known VNC security problems/attacks.
http://209.143.242.119/cgi-bin/search/search.cgi?searchvalue=VNC&type=archiv
es
VNC-SEC-L is working on a rev to the RFB protocol to change the way
authentication works to remove this known hole. I'll be more active there
once I return from BlackHat on July 16.
Andrew
----- Original Message -----
From: "Matt Keyes" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 06, 2001 11:14 PM
Subject: Passwords
> How are VNC passwords transmitted? Clear text?
>
> Thanks!!
>
> Matt
> ---------------------------------------------------------------------
> To unsubscribe, send a message with the line: unsubscribe vnc-list
> to [EMAIL PROTECTED]
> See also: http://www.uk.research.att.com/vnc/intouch.html
> ---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
