RE: VNC Security

["Joshua Berry" <jberry () PENSON COM>]

For anyone interested, here are a couple of tools that decrypt VNC
passwords:

http://www.cqure.net/tools.jsp?id=12
http://www.phenoelit.de/fr/tools.html

In the past, the key was static with no salts and single DES encrypted,
making it relatively simple to decrypt.

-----Original Message-----
From: Alexander Bolante [mailto:alexander.bolante () gmail com] 
Sent: Tuesday, April 19, 2005 9:24 PM
To: Steve Bostedor
Cc: security-basics () securityfocus com; vnc-list () realvnc com
Subject: Re: VNC Security

I stand corrected. I misread/misunderstood your original posting. To
clarify, I have never used/had to use a sniffer outside of my own
subnet for that matter.

Now I agree with you. It's not very realistic nor likely that UserX in
India will be sniffing, eavesdropping, hijacking, MITM, etc. a session
between a client in Detroit, MI to a server in Jackson, MI. And even
if UserX was, you're right, UserX would have already acquired access
to a machine(s) on that shared LAN. Should UserX even care about open
VNC sessions if UserX has already compromised a machine on the LAN?
Who knows; what are UserX's intentions? The answer could be...MAYBE.

I mean, I completely understand why you question having to secure VNC
if an outsider/unwanted intruder cannot (or probably would not) sniff
a VNC session. That's fine and I hear you loud and clear. I'm not
arguing with you.

BUT from a Security standpoint, what about your internal Employees?
Sure, it's convenient for me to single out Employees as a threat to
security, but it's still REALITY these days.

Now I do not have any solid proof that actual-usable-life-threatening
data can be obtained from sniffing a VNC session. It's all
"hypothetical" -- maybe EmployeeZ can obtain corporate pwds or entry
keys from sniffing a VNC session...MAYBE.

Or think about this -- the default VNC authentication mechanism uses a
challenge-response method. Based on a one-way hash algorithm, it's
practically impossible (or way too complicated) to reverse engineer by
sniffing packets.

BUT this is the 21st century. If EmployeeZ can sniff your
authentication packets, maybe EmployeeZ can also sniff the VNC data
stream and "theoretically" see what you're seeing...MAYBE.

The point I'm driving here is -- I personally prefer to tunnel VNC
over SSH to handle these "uncertainties" and (I'd rather not use this
term, but for lack of better terms) to build defense in depth for
remote access.

Clearly, my justification is completely subjective. And that probably
won't satisfy your original request since you're looking for tangible
evidence and solid proof/facts. When you find what you need, I'm
interested in hearing what you discovered.

Really, we all have different security requirements. You may only want
a fence, a deadbolt and lock on your door. I, on the other hand, want
what you want PLUS an outstanding Doberman Pinscher roaming my yard.

Good luck...


On 4/19/05, Steve Bostedor <Steveb () tshore com> wrote:
> Thank you for the reply, Alexander.  I understand exactly what you're
trying to say.  I'm not sure if you fully understand what I was saying
and its probably my fault for not making it clear enough.
> You seemed to concentrate on how easy it is to do things with the VNC
packets once you've sniffed the packets.  You say that you've sniffed
the packets before but have you ever sniffed packets from a network
outside of your own LAN?  How about on your LAN but on another switch
port?
> What I was trying to discuss is how real the threat is that someone
outside of your network will actually get to sniff enough of and the
correct sequence of your packets to do the things that you where able to
do by sniffing the packets on your local segment.
> You're basically breaking into your own house by using your own keys
in the scenario that you provided.  How realistic is it for someone in
India to sniff my packets going from a server in Detroit, MI to a server
in Jackson, MI?  How realistic is it for him to actually get usable
data?
> It's Easy to say that if there's a way into your network, you're
insecure but there's a way into your house .. is your house insecure?
Is VNC really the low hanging fruit in my scenario.
> I know that you all are very specific and technical, so I'll spell out
an exact scenario which happens to be the most common usage of VNC in
companies.
> --------
> * John Doe is getting an error message on his computer and calls the
help desk a city away for help.
> * Helpdesk tells John to double-click on the VNC icon on his desktop
that starts the server
> * Helpdesk connects to Johns computer and takes about 10 minutes to
resolve the problem
> * Helpdesk person kills the VNC server on the remote computer and the
connection is terminated
> -------
>
> I understand that Security is very important but it's also very
important to not go Barney Fife and start drawing the gun on everything
that moves if you get what I mean.  What are the odds that some guy in
Florida is going to sniff that 10 minute session and get into the
network?  My answer is 1 in at least 10 million.
> The guy in Florida would have to have already compromised a computer
on either of the networks that happened to be plugged into a HUB (Not a
switch) that either of the computers are plugged into ~OR~ he would have
had to hack one of the routers close to either one of them to send
packets to him as a man in the middle attack of sorts.
> Both of these are a bit extreme for VNC data theft, don't you think?
If you do all of that, isn't there a bunch of much bigger prizes at your
fingertips than VNC data?!
> Now are you starting to see what I'm saying?  The successful exploits
that must be done to get someone's VNC packet stream would land you
access to things far greater than just the VNC data and who would waste
the time with VNC data at that point?  Go for the gold, you're already
in someplace pretty good at that point.
> The only EASY way that I know of to sniff someone's packets are to
either be on a hub with the remote computers or to have a Trojan on one
of the computers.  Does someone know of an easy way other than that?
Easier than just hacking into the company other ways that do not involve
VNC?
> - Steve
> -----Original Message-----
> From: Alexander Bolante [mailto:alexander.bolante () gmail com]
> Sent: Tuesday, April 19, 2005 6:25 PM
> To: Steve Bostedor
> Cc: security-basics () securityfocus com; vnc-list () realvnc com
> Subject: Re: VNC Security
>
> IMHO
>
> NOTE:
> For obvious reasons that VNC provides remote access to your machine,
> Security is key (period). I'm assuming this thread does NOT pertain to
> your COMPANY LAN, because if it does, the answer to your question,
> "Why should I secure VNC over SSH?" is clearly...SOX compliance...
>
> OTHERWISE:
> Bottom line is -- if you DO NOT have any sensitive data to secure,
> it's your prerogative to determine what lengths you want to take to
> protect that data. Why do I tunnel VNC over SSH? To deal with the
> uncertainty of potential security flaws and risks...
>
> (SB wrote) What are the real risks of not securing VNC traffic? It
depends...
> The only caveat I see in not securing VNC traffic is...network
eavesdropping
> We already know that all VNC traffic between client and server is
> unencrypted after authentication. That's a problem if you're moving
> sensitive data. I've used a sniffer on a VNC session before. The
> traffic was compressed, so it was still difficult to understand and
> breakdown the data from the sniffer, BUT data passed in clear text
> e.g. usernames, birthdate, home address, etc. could be useful
> ***depending on the malicious user's intentions***.
>
> And because we often do NOT know what a malicious user's intentions
> are, we mitigate that uncertainty by adding another layer of
> security/defense in depth...tunneling VNC over SSH in order to secure
> communication and not leave ports open for scanning; using TCP
> wrappers to provide access control on a per-IP address basis, etc.
>
> On 4/19/05, Steve Bostedor <Steveb () tshore com> wrote:
> > I'd like to know if anyone has any working examples of why an
> > unencrypted VNC session over the Internet is seen as such a horrible
> > security risk.  I understand that unencrypted ANYTHING over the
Internet
> > lends the chance for someone to decode the packets (assuming that
they
> > capture every one of them) but in reality, what are the real risks
here
> > and has anyone successfully captured a VNC session from more than 2
> > router hops away and actually gotten any meaningful information from
it?
> > I've captured a big chunk of a LOCAL session using Ethereal and the
only
> > thing that I can see that is usable is the password exchange.
Agreed
> > that this could be a problem if someone just happened to be sniffing
> > your local LAN segment at that exact moment and happened to capture
your
> > encrypted VNC password, he could crack the password and log in
himself.
> > But how paranoid is it to go through all of the trouble of setting
up
> > SSH to avoid that when you could just change your VNC password often
and
> > make sure that your local LAN is reasonably secure from prying eyes?
> >
> > How about once it gets out on the Internet?  Packets bounce all over
the
> > place on the Internet.  What are the odds that someone out there
will
> > pick your VNC packets out of all of the millions of packets running
> > through the back bone routers without being noticed, capture enough
of
> > them to possibly replay a session, and actually have the patience or
the
> > tools to do so.  I've scoured the web out of this curiosity, looking
for
> > a tool to put VNC packets together into something useful for a
hacker.
> > There's nothing.  Nada.
> >
> > So, I guess that what I'm asking is; what all of the fuss is about?
> > Your POP3 password likely gets passed unencrypted but we're being
asked
> > to be paranoid about an encrypted VNC password?  This is all coming
from
> > a discussion that I had with someone over the merits of using SSH
with
> > VNC over the internet for a 10 minute VNC session.
> >
> > Does anyone have anything that's not hypothetical?  Is there a tool
that
> > I'm missing out there that does more than just crack a VNC password?
> > Does anyone know of any reported security breaches where VNC was a
> > weakness?
>
> --
> "I know nothing" -- Alexander.Bolante () gmail com


-- 
"I know nothing" -- Alexander.Bolante () gmail com