If you look at VNC's site and review the FAQ - Question #54 -
(http://www.uk.research.att.com/vnc/faq.html) you will find the following
information:

"Q54 How secure is VNC?
Access to your VNC desktop generally allows access to your whole
environment, so security is obviously important. VNC uses a
challenge-response password scheme to make the initial connection: the
server sends a random series of bytes, which are encrypted using the
password typed in, and then returned to the server, which checks them
against the 'right' answer. After that the data is unencrypted and could, in
theory, be watched by other malicious users, though it's a bit harder to
snoop a VNC session than, say, a telnet, rlogin, or X session. Since VNC
runs over a simple single TCP/IP socket, it is easy to add support for SSL
or some other encryption scheme if this is important to you, or to tunnel it
through something like SSH or Zebedee.

SSH allows you to redirect remote TCP/IP ports so that all traffic is
strongly encrypted, and this can be combined with VNC. SSH can also compress
the encrypted data - this can be very useful if using VNC over slow links.
See the 'Using SSH with VNC' page. Zebedee is a similar system which can be
sometimes simpler to use. You can find info here.

While we're on the subject of security, you should also be aware that only
the first 8 characters of VNC passwords are significant. This is because the
'getpass' call used in the Unix server to read a password has this
restriction, and the other platforms have been made compatible with this.

Wolfram Gloger < wmglodent.med.uni-muenchen.de> has built Xvnc with the TCP
Wrapper library, allowing you more control over which hosts are allowed to
connect. See the contribs page for details. "

Seems that VNC isn't incredibly secure, but perhaps this is why there is so
much information about using WinVNC over SSH. I've used WinVNC over SSH and
it's much more secure. It's not that difficult to set up and works great.
With SSH (v2) the issues associated with picking up the keyevents off the
wire are much less of an issue. Yes, you're still vulnerable to brute force
and side band analysis, but that's a little more difficult to overcome.

I'd be more concerned about using VNC and relying only on the password to
protect your machine. There isn't a lockout mechanism for failed guesses at
the password (making it ripe for brute force attacks). I've seen brute
force tools for VNC. (It pays to be paranoid).

Ed Spencer
MCSE/MCT/CNA/A+/Network+
Security Analyst - IS Security
Renaissance Worldwide, Inc. - Walt Disney World
 
This communication is confidential, intended only for the named recipient(s)
above and may contain trade secrets or other information that is exempt from
disclosure under applicable law. Any use, dissemination, distribution or
copying of this communication by anyone other than the named recipient(s) is
strictly prohibited. If you have received this communication in error,
please immediately notify us by calling (407) 566-5195. The ideas,
opinions, and information expressed within the above email are the express
sole opinion of the author and are not the opinion of the Walt Disney World
Corporation. Thank you.

-----Original Message-----
From: boo guy [mailto:drouhpyyahoo.fr]
Sent: Thursday, May 31, 2001 3:20 AM
To: Information Security
Cc: 'FOCUS-MSSECURITYFOCUS.COM'
Subject: Re: VNC security

We also use VNC, and your findings make me nervous...
How would you simply trace the TCP/DATA over the
networks using java?
I would like to check theses findings.
Thanks

On Tue, 29 May 2001, Information Security wrote:

> I've followed the thread on remote management of
servers and was surprised
> to
> find out how many folks use VNC. After looking at
the protocol, I rejected
> it as unsecure. Am I missing something?
>
> VNC relies on the RFB protocol, I'm working off the
v3.3 RFB standard
> (Richardson & Wood, 16 July 1998), and ran network
traces to confirm these
> findings.
>
> Skip all the image painting stuff and look at how
keystrokes are transferred
>
> using the KeyEvent (section 5.2.5): they're sent
across the network in clear
>
> text. It's really simple to write a filter to pull
out the keystroke
> events.
> Looking at TCP data to the server on the VNC
listener port, filter on
> packets
> where the first data byte is 4 (message-type =
KeyEvent). The ASCII
> keystroke is in bytes 5-8.
>
> Does this concern you at all? We don't allow
keystroke loggers on our
> network. :)
>

___________________________________________________________
Do You Yahoo!? -- Pour faire vos courses sur le Net,
Yahoo! Shopping : http://fr.shopping.yahoo.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]