Real VNC 4.1.1 vulnerability – Remote Access without password



This is one worth checking out anybody using vnc for remote administration. It looks as though intelliadmin has come across a vulnerability in Real VNC 4 (the slashdot post I saw suggested “any machine running VNC 4.1”) I haven’t tested yet, so I don’t know if this ONLY affects REALVNC’s implementation or is broader. They have a proof of concept page which attempts to connect to the ip of the browser at the vnc port and display a screenshot. The site is getting slashdotted at the moment, so revisit this page and link until you get a chance to test out your VNC serving machines.


I’m particularly interested to test if it’s a VNC protocol, or an implementation issue. OK – a few minutes to read more detail. The vulnerability appears in Real VNC 4.1.1, it DOES NOT exist, according to the linked post, in either an older RealVNC 4.0, or UltraVNC or TightVNC.

It appears as though it is ONLY RealVNC 4.1.1 and Windows only was tested. The bug seems to be in the authentication process. Still, if you’re curious, check out the proof of concept link above. You need to connect FROM the machine running vnc server (server should be running…. that should be obvious I suppose…) AND also should be obvious, the vnc port should be accessible from the Internet. If they’re correct (and you’re running RealVNC 4.1.1), it should capture a screenshot and display for you.

RealVNC is the open source heir to the AT&T labs VNC project, they also develop commercial implementations of the VNC protocol. There are many offshoots of realvnc… ultravnc and tightvnc being the two most common. They are all generally compatible (core features compatible) using the vnc protocol.

–UPDATE 5/12/06–

Proof of concept that was down due to slashdotting is down permanently. Apparently they have confirmed the flaw (which was their objective…) They’re working with realvnc.com to solve the issue permanently. Keep an eye out for RealVNC 4.1.2……

–update 5/16/06–

There’s a bit more coverage of this now that news has spread of the vulnerability…. Security Focus details of the Real VNC 4.1.1 vulnerability and Sans has information on the VNC vulnerability now that exploits are available in the wild, snort detection signatures are too.

Most importantly…. RealVNC has security updates for their affected products. There doesn’t seem to be confirmation of other affected VNC versions.

   Send article as PDF   

Similar Posts