Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » SunPCi II VNC weak authentication scheme vulnerability

SunPCi II VNC weak authentication scheme vulnerability

by Nikola Strahija on July 3rd, 2002 SunPCi II is a PCI daughterboard for Sun Sparc systems capable of running Microsoft Windows OS and applications using an Intel Celeron processor. Starting with version 2.3 of the SunPCi II drivers, Sun ships a modified copy of AT&T's Virtual Network Computing (VNC) client and server. One of the modifications is the authorization process between VNC client and VNC server. The new authentication scheme enables an attacker to discover the VNC password (which is a valid Solaris password) just by sniffing the network between VNC client and VNC server. Once the password is discovered, the attacker can gain access to the system using VNC or other protocols. By default the VNC server is running an X desktop as root.


Technical details:
The readme of the supplied source code of the altered VNC software
mentions:

- --------------------------Start Quote--------------------------------
The original authorization code worked as follows:
Server-> password was read/decrypted from file
Server-> sent random bytes to client
Client-> get password from user
Client-> reads random bytes from server
Client-> encrypt random bytes with password
Client-> write encrypted random bytes to server
Server-> reads encrypted random bytes
Server-> encrypts original random bytes using password from file
Server-> compares encrypted random bytes

The new authorization code works as follows:
Server-> sent random bytes to client
Client-> get password from user
Client-> reads random bytes from server
Client-> encrypt password with random bytes as key
Client-> write encrypted password to server
Server-> reads encrypted password
Server-> decrypts encrypted password using random bytes as key
Server-> gets password of current user from system
Server-> encrypts password using user password as salt
Server-> compares encrypted passwords
- ---------------------------End Quote---------------------------------

Since the encryption used by VNC is the well known DES, it is easy to see
how this change of code weakens the security significantly. In the original
scheme it is difficult to reverse the encyption since the key is an unknown
password. (An attacker would need to break into the system first and read it
from the file mentioned in the first step.) In the new code, the key used
for encryption is the readily available challange ("random bytes") sent by
the server.

Conclusion:
Although encryption is being used, the way it is applied does not add any
security to sending the password over the wire in plain text. The original
VNC method is much more secure.

Proof of concept:
This requires merely an implementation of the DES algorithm. See attachment.

Work arounds (pick at least one):
a) Do not use the VNC software supplied by the SUNWspvnc package.
b) Replace the modified VNC software with the original VNC package
c) Only use the modified VNC software over a secure channel (i.e. ssh)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9IxiiuNOCmWYU0qwRAh/DAKDnCuADHUVsPGDYENAHyU72+wPb4gCg8/uR
KX2XX0Coco2uVERrIwQWNSw=
=4ohf
-----END PGP SIGNATURE-----

--
Richard van den Berg, CISSP


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »