VNC server "None" authentication method detectio
Reporter | Title | Published | Views | Family All 49 |
---|---|---|---|---|
Tenable Nessus | FreeBSD : vnc -- authentication bypass vulnerability (4645b98c-e46e-11da-9ae7-00123fcc6e5c) | 19 May 200600:00 | – | nessus |
Tenable Nessus | VNC Security Type Enforcement Failure Remote Authentication Bypass | 15 May 200600:00 | – | nessus |
Metasploit | RealVNC NULL Authentication Mode Bypass | 29 Aug 201115:30 | – | metasploit |
Metasploit | VNC Authentication None Detection | 6 Jun 200804:29 | – | metasploit |
seebug.org | RealVNC Authentication Bypass | 1 Jul 201400:00 | – | seebug |
seebug.org | RealVNC 4.1 Authentication Bypass | 28 Aug 201100:00 | – | seebug |
OpenVAS | Nmap NSE net: realvnc-auth-bypass | 1 Jun 201100:00 | – | openvas |
OpenVAS | Nmap NSE 6.01: realvnc-auth-bypass | 28 Feb 201300:00 | – | openvas |
OpenVAS | FreeBSD Ports: vnc | 4 Sep 200800:00 | – | openvas |
OpenVAS | Nmap NSE 6.01: realvnc-auth-bypass | 28 Feb 201300:00 | – | openvas |
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'VNC Authentication None Detection',
'Description' => 'Detect VNC servers that support the "None" authentication method.',
'References' => [
['CVE', '2006-2369'], # a related instance where "None" could be offered and used when not configured as allowed.
['URL', 'https://en.wikipedia.org/wiki/RFB'],
['URL', 'https://en.wikipedia.org/wiki/Vnc'],
],
'Author' => [
'Matteo Cantoni <goony[at]nothink.org>',
'jduck'
],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(5900)
]
)
end
def run_host(target_host)
connect
vnc = Rex::Proto::RFB::Client.new(sock, allow_none: true)
unless vnc.handshake
print_error("#{target_host}:#{rport} - Handshake failed: #{vnc.error}")
return
end
ver = "#{vnc.majver}.#{vnc.minver}"
print_status("#{target_host}:#{rport} - VNC server protocol version: #{ver}")
svc = report_service(
host: rhost,
port: rport,
proto: 'tcp',
name: 'vnc',
info: "VNC protocol version #{ver}"
)
type = vnc.negotiate_authentication
unless type
print_error("#{target_host}:#{rport} - Auth negotiation failed: #{vnc.error}")
return
end
# Show the allowed security types
sec_type = []
vnc.auth_types.each do |t|
sec_type << Rex::Proto::RFB::AuthType.to_s(t)
end
print_status("#{target_host}:#{rport} - VNC server security types supported: #{sec_type.join(', ')}")
if (vnc.auth_types.include? Rex::Proto::RFB::AuthType::None)
print_good("#{target_host}:#{rport} - VNC server security types includes None, free access!")
report_vuln(
{
host: rhost,
service: svc,
name: name,
info: "Module #{fullname} identified the VNC 'none' security type: #{sec_type.join(', ')}",
refs: references,
exploited_at: Time.now.utc
}
)
end
ensure
disconnect
end
end
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo