RE: [MLUG]

Email address obfuscation in effect -- please click here to turn it off.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: "'EMAIL:PROTECTED'" <EMAIL:PROTECTED>
Subject: RE: [MLUG]
From: "Buford, Rick" <EMAIL:PROTECTED>
Date: Wed, 5 Apr 2000 13:26:10 -0500
Reply-To: EMAIL:PROTECTED
Sender: EMAIL:PROTECTED

This is quite what I remember reading before, but it is simiar. 

From
http://www.securiteam.com/securitynews/VNC_3_3_2_R6_uses_a_weak_password_pro
tection_mechanism.html :

2) Fixed encryption key.
When the VNC server encrypts a password it always uses the same fixed key,
so the output password are always the same. For example, if we input "conde"
as password, the output password is: df 6b 7e e8 94 26 d8 b5. Since the
software is open source, the key is publicly available, making the
encryption pointless.

Input password -> conde
Key -> 23 82 107 6 35 78 88 7
Encrypted password -> df 6b 7e e8 94 26 d8 b5 

Input password -> 2621
Key -> 23 82 107 6 35 78 88 7
Encrypted password -> 73 05 1d 22 49 b6 05 1c

The VNC server always uses this key ("23 82 107 6 35 78 88 7") in the
current version. This mean that an attacker with read access to the registry
can simply decode the password and obtain the plain-text version of it.

Rick Buford
User Support Analyst - Specialist
ITS - USER SERVICES
DC017.00 / 884-0578
> - [ Cleverly Disguised As A Responsible Adult ] -

-----Original Message-----
From: Mike Miller [mailto:EMAIL:PROTECTED]
Sent: Wednesday, April 05, 2000 11:51
To: MLUG list
Subject: Re: [MLUG] 

On Wed, 5 Apr 2000, Buford, Rick wrote:

> Are there any security risks associated with using vncserver? I
> remember that older versions of vnc had a security flaw that would
> essentially let anyone log into the session...

What?!  I hope not because I've been using it for a year or so and I've
read the list most of that time and I haven't heard of this problem.  
Tell me more.

> Other than locking the display before closing the session, is there
> anything else I need to do to secure this? Is there a way to force the
> server in /etc/rc.d/init.d/ to run as non-root? Since I havent been
> using any GUI on any of my linux boxes, being able to run an X/Gnome
> session is kind of a hoot =)

I compiled in tcp_wrappers support for Xvnc, so I restrict access that
way.  Unfortunately, the Xvnc attempts are not logged by tcp_wrappers.  
Now I am using iplog (thanks to someone on this list who told me about
it).  iplog will log all attempts to connect to all ports (Xvnc is in the
5900-5999 range), thus that I can see what's happening with Xvnc.  I also
have the hosts.deny file of tcp_wrappers configured to send me an e-mail
message whenever a connection to Xvnc is rejected by tcp_wrappers.  So I
feel pretty secure altogether.

Mike

-- 
Michael B. Miller
University of Missouri--Columbia
http://taxa.psyc.missouri.edu/~mbmiller/

--
To unsubscribe, send a new message with no subject and the words
"unsubscribe members" in the body to EMAIL:PROTECTED

Archives are available at http://mlug.missouri.edu/list-archives/
--
To unsubscribe, send a new message with no subject and the words
"unsubscribe members" in the body to EMAIL:PROTECTED

Archives are available at http://mlug.missouri.edu/list-archives/

Follow-Ups:
- RE: [MLUG]
  - From: Mike Miller <EMAIL:PROTECTED>

Prev by Date: RE: [MLUG] IRIX vs. Windows E-mail Problem
Next by Date: Re: [MLUG] Linux and Windows
Previous by thread: Re: [MLUG]
Next by thread: RE: [MLUG]
Index(es):
- Date
- Thread