[12218] in bugtraq
Security of "Virtual Network Computer"
daemon@ATHENA.MIT.EDU (Mikael Olsson)
Tue Oct 12 16:17:31 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id:  <3802E898.47D1A7F3@enternet.se>
Date:         Tue, 12 Oct 1999 09:51:52 +0200
Reply-To: Mikael Olsson <mikael.olsson@ENTERNET.SE>
From: Mikael Olsson <mikael.olsson@ENTERNET.SE>
X-To:         bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Originally a reply to a question on the firewalls list, I thought
it wise to repost my message to the Bugtraq list to alert a
wider audience - especially since many of the replies were
"I've used it across the Internet for ages with no problems"
-------
"How secure is VNC?" or
"Is it OK to run VNC over the Internet?"
VNC is an excellent piece of free software allowing cross-platform
remote administration, even via java-enabled web browsers.
See http://www.uk.research.att.com/vnc
However, it was not written to run "out-of-the-box" safely across
the Internet or other untrusted networks.
According to the authors of VNC (FAQ section):
Q51 How secure is VNC?
  Access to your VNC desktop generally allows access to your whole
  environment, so security is obviously important. VNC uses a
  challenge-response password scheme to make the initial connection:
  the server sends a random series of bytes, which are encrypted using
  the password typed in, and then returned to the server, which checks
  them against the 'right' answer. After that the data is unencrypted
  and could, in theory, be watched by other malicious users, though
  it's a bit harder to snoop a VNC session than, say, a telnet, rlogin,
  or X session. Since VNC runs over a simple single TCP/IP socket, it is
  easy to add support for SSL or some other encryption scheme if this
  is important to you, or to tunnel it through something like SSH.
They basically say "it is not secure".
What does this mean in practice?
- Session hijacking, once the session is established it might be
  hijacked using ARP spoofing, ICMP Redirects, BGP Injection,
  RIP spoofing or any other redirection method. All standard
  TCP sequence prediction problems apply.
- Man-in-the-middle attacks: Evil Attacker(tm) fools the client
  to connect to him/her instead of the actual server (via DNS
  spoofing or any of the spoofs above, however, we do not need
  to do TCP sequence prediction at all), connects to the server,
  gets the random challenge, sends the challenge to the client,
  gets the response from the client and passes it to the server.
  Voila! Straight authenticated connection from attacker to server.
- Actually, both above attacks are a lot easier to do if all
  involved parties are on the same LAN, so your network security
  depends on the definition of the word "trusted" :)
As you can see, this is Not Secure(tm). Neither was that intended
by the authors:
Q52 Are you going to make it more secure?
  We do hope eventually to add better security to VNC, but there's
  also a good argument for not doing so. If security is a concern,
  it can be better to use a single system such as SSH or FreeS/WAN
  to encrypt all your traffic, rather than relying on the individual
  packages to do the right thing. Then, if you decide in a year's
  time that one system is too easily crackable, you can replace it
  yourself and all of your communications will benefit. It may also
  be easier to fit in with corporate security systems this way.
Executive summary:
Would you allow vanilla telnet to your protected machines?
Probably not.
If you need to run VNC over an untrusted network: tunnel it through
something More Secure(tm) such as SSH or IPSec.
A-a-a! Did I hear someone say "Okay, I'll use PPTP"?
Read Bruce Schneier and Mudge's analysis of
PPTP: http://www.counterpane.com/pptp.html
PPTPv2: http://www.counterpane.com/pptpv2-paper.html
Go with IPSec if you want to use a VPN mechanism; it's an
established standard.
-----Original Message-----
From: kbashir@engro.com [mailto:kbashir@engro.com]
Sent: 11 October 1999 13:39
To: Firewalls@Lists.GNAC.NET
Subject: VIRTUAL NETWORK COMPUTER
     this is a little off topic but still it relates to security and
     firewall in a sense.
     Has anybody used this without problem and compromising security.
     http://www.uk.research.att.com/vnc
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 VRNSKVLDSVIK
Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olsson@enternet.se