COMMAND

    VNC

SYSTEMS AFFECTED

    Win32 and unices

PROBLEM

    Following was discovered by Conde Vampiro (Roses Labs).  VNC is a
    software package that permits a  user to view a remote  desktop in
    real-time.  It's a very nice GNU tool that runs on Windows (9x/NT)
    and *nix (Linux, BSD).   To protect intruder to access  the remote
    desktop, VNC has a password  protection.  This encryption is  done
    using 3DES, but this encryption  is very poor and can  be attacked
    (through brute-force).

    PROBLEM ONE
    ===========
    When we install the VNC server  on a Windows box, we can  find the
    password  encrypted  at  the  following  registry  keys  (look for
    "password"):

        \HKEY_CURRENT_USER\Software\ORL\WinVNC3
        \HKEY_USERS\.DEFAULT\SOftware\ORL\WinVNC3

    When we introduce a password  of arbitrary length, the VNC  server
    will encrypt our password, but it will drop (null) all bytes after
    8.  This is demonstrated here:

        Input password -> micasaesazul
        Key -> 23 82 107 6 35 78 88 7
        Encrypted password -> 1f f1 6f 1a cc 34 64 f0

        Input password -> micasaesroja
        Key -> 23 82 107 6 35 78 88 7
        Encrypted password -> 1f f1 6f 1a cc 34 64 f0

    In  both  cases,  the  VNC  server  interpretted  the  password as
    "micasaes."  Eight characters is small.

    PROBLEM TWO
    ===========
    When the  VNC server  encrypt a  password it  always uses the same
    fixed  key,  so  the  output  password  are  always the same.  For
    example, if we imput "conde" as password, the output password is:

        df 6b 7e e8 94 26 d8 b5.

        Input password -> conde
        Key -> 23 82 107 6 35 78 88 7
        Encrypted password -> df 6b 7e e8 94 26 d8 b5

        Input password -> 2621
        Key -> 23 82 107 6 35 78 88 7
        Encrypted password -> 73 05 1d 22 49 b6 05 1c

    The VNC server always use this key  ("23 82 107 6 35 78 88  7") in
    [at least] the current version.

SOLUTION

    Nothing yet.