Thursday, June 30, 2016

RealVNC Authentication Bypass

Metasploit's RealVNC authentication bypass module for CVE-2006-2369 is pretty fun because it's one of those that is way too easy. If a victim has a RealVNC server which is earlier than 4.1.2, or a LibVNCServer VNC server earlier than 0.8.2, a customized VNC client can send 'Type 1 - None' as the authentication type and completely bypass authentication. Metasploit does this for you.

This vulnerability was discovered by Steve Wiseman by accident while coding his own VNC software, so that's a fun fact. This is of course a very old vuln, but still exists out there, unfortunately. Here are the commands to exploit using msfconsole:

use auxiliary/admin/vnc/realvnc_41_bypass
show options
set autovnc true
set rhost <target-victim>

At this point, Metasploit should automatically launch a VNC client and remote to the host while bypassing authentication. Fun stuff.