gossiOWNED.LAB6.COM

• Next message: Steven Alexander: "Decrypting passwords for SmartServer 3"
• Previous message: Chris Wing: "Re: Solaris libc locale bug exploit against non-exec stack"
• Next in thread: David LeBlanc: "Re: WinVNC 3.3.x"
• Reply: David LeBlanc: "Re: WinVNC 3.3.x"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

So, you use WinVNC and Windows NT4 Workstation/Server...?

During the InstallShield setup utility, it creates the registry key:

HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\

which is used to store all of WinVNC's default settings. By default,
Administrator and SYSTEM have full control, and Everybody has Special
Access (read and modify).

Ding dong. The connection password, ip and query restrictions and other
settings are all stored here, all editable by anybody.

This completely comprises any workstation [or server] running WinVNC,
unless its been tightened. You can just use regedit remotely to blank the
password value and set the key "AuthRequired" to 0, to allow the blank
password...

Under Windows 2000, network users with "Standard User" (aka Power User)
privs can do the same by default - really only admins should have access
to this key.

This isn't anything brilliantly new (lax security permissions by default
under NT4), but since WinVNC allows complete remote access to a system, I
feel its important people realise what they are deploying.

FIX - Use regedt32 to remove Everybody's permissions on the key entirely.

Gossi
Head Of ebe security
Professional Layabouts since 1998

• Next message: Steven Alexander: "Decrypting passwords for SmartServer 3"
• Previous message: Chris Wing: "Re: Solaris libc locale bug exploit against non-exec stack"
• Next in thread: David LeBlanc: "Re: WinVNC 3.3.x"
• Reply: David LeBlanc: "Re: WinVNC 3.3.x"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]