COMMAND

    WinVNC

SYSTEMS AFFECTED

    WinVNC 3.3.x

PROBLEM

    Gossi The  Dog found  following.   So, you  use WinVNC and Windows
    NT4 Workstation/Server...?

    During the  InstallShield setup  utility, it  creates the registry
    key:

        HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\

    which  is  used  to  store  all  of WinVNC's default settings.  By
    default,  Administrator   and  SYSTEM   have  full   control,  and
    Everybody has Special Access (read and modify).

    Ding dong.  The connection password, ip and query restrictions and
    other settings are all stored here, all editable by anybody.

    This  completely  comprises  any  workstation  [or server] running
    WinVNC,  unless  its  been  tightened.   You  can just use regedit
    remotely  to   blank  the   password  value   and  set   the   key
    "AuthRequired" to 0, to allow the blank password...

    Under Windows 2000, network users with "Standard User" (aka  Power
    User) privs can do the same by default - really only admins should
    have access to this key.

    This isn't anything brilliantly  new (lax security permissions  by
    default  under  NT4),  but  since  WinVNC  allows  complete remote
    access to a system, it is important that people realise what  they
    are deploying.

    Chris Wolfe added following.  The password stored in the  registry
    is   encrypted   with   a   fixed   key.    Because   of  the  MD5
    challenge-response   authentication   this   password   must    be
    decryptable by the server, and so can not be stored hashed.   This
    MD5 challenge-response architecture is very often used for  simple
    encrypted  authentication,  and  the  fixed-key encryption is even
    more common.

    The password is not sent over the network in the clear, and is not
    length-restricted by the protocol.   The issue of password  length
    has been  raised before  in the  VNC mailing  list, and  generally
    seems to be considered a bug (though no one has AFAIK fixed it  in
    the standard Windows version).

    Brute-forcing  the  passwords  is  relatively difficult: requiring
    either sniffing the network and brute-forcing the MD5 offline,  or
    repeated   connections   to   the   server.   Based   on   Chris's
    interpretation of the source code  he has (WinVNC 3.3.3) a  client
    may only  attempt to  authenticate once  every ten  seconds, which
    makes brute-forcing the password very time consuming.

    Instructions on  using VNC  through SSH  are linked  from the  VNC
    FAQ, and a few places in the documentation.  Refering to

        http://www.uk.research.att.com/vnc/sshvnc.html

    should be substantially  easier for most  people than acquiring  a
    book.

SOLUTION

    Use  regedt32  to  remove  Everybody's  permissions  on  the   key
    entirely.  A better fix is to use something more secure.   Another
    fix detailed  in Stephan  Norberg's new  book from  O'Reilly is to
    tunnel VNC though ssh, or if you have Win2k, wrap the whole  thing
    in IPSec.  And fix the registry permissions - also check the  file
    system permissions, as I'd bet they do the same thing there.