Issue with Query of Accept/Refused Connection

[YY]

When the server is configured to Display Query Window, if the connection is refused (either by the user, or by the configured default action), I found several abnormalities on the afterward operation.

I first saw the problem on 1.0.9.5, and I considered this a bug of vncviewer at that time, and reported it on Viewer (1.0.8.x & 1.0.9.x) Bug, when connection is rejected


Recently I re-do the test again with 10961, now I change my mind and trend to believe the problem caused by the server, or both server & viewer having bugs, but I just can't sure.


Here are the setup in my test:
* server 10961 (May 10) and 1.0.8.2 running as service, with below setting:
　 - [v] Display Query Windows
　 - Timeout = 250 seconds
　 - Default = Refuse
　 - Multi viewer connection = Keep existing connections

* Viewers are 10961 (May 2), and 1.0.8.2

* Tests are done on WinXP Prof.



Here are what I observed in my tests:

1. When using 1.0.8.2 server, connection from both viewer are working properly, the server will prompt for input of Accept/Refuse.

2. When using 10961 (May 10) server, when connected from viewer of
　　- 1.0.8.2 --- OK! server will prompt for input of Accept/Refuse.
　　- 10961 (May 2) --- Rather than prompt for Accept/Refuse at server, the viewer was prompted for password. After the password was submitted, the Query windows then popup at server end.

　　This is obvious a bug of the server.


3. Continue the test of 10961 (May 2) of No.2. I entered the password, and Query windows popup at server, if I refused the connection, the viewer then ended up with an message of "authentication rejected", rather than the correct message "your connection has been rejected".


4. But the 10961 (May 10) server was not always responding in the way as described No.2 & No.3, sometimes when connect to the server with 10961 (May 2), the viewer was just ended up with "your connection has been rejected" directly. There was no popup for password input at viewer. There was no Query windows popup at server.


5. I was not able to determine the condition of when/why "prompt for password" or "your connection has been rejected" will be resulted. But after a lot of tests, I think the following condition is easier to trigger the "your connection has been rejected" result:

(i) - 10961 (May 2) viewer connect to 10961 (May 10) server,
　　- When ask for password, enter it.
　　- When Query windows popup at server, click "Refuse"
　　- So the viewer will show "authentication rejected", just end it.
　　- Start the viewer, and connect to the server again. A big chance the viewer will get "your connection has been rejected" directly.


(ii)- If I try to connect with viewer 1.0.8.2 and then 10961 (May 2) alternatively (and the server refuse the connectin), the said phenomenon seems to be easier be triggered.

[Rudi De Vos]

First viewer need to enter password, then server check if he is allowed or not.
This is intentional, for following future option.

I want to add some option to let the viewer select to connect to
-session1 console
-session2 user X RDP
To avoid that everyone can list and select a session, passwd need to checked
before selection. Accept/reject run in the selected session.

Test are possible impacted by the blacklist.
3x reject is blacklist
Then you need to wait some time before you can try again

[B]

It also sounds like a good idea from a security perspective. You're getting the "attacker's" attempt at a password BEFORE you even fully connect with the server...

[YY]

First viewer need to enter password, then server check if he is allowed or not.
This is intentional, for following future option.

I want to add some option to let the viewer select to connect to
-session1 console
-session2 user X RDP
To avoid that everyone can list and select a session, passwd need to checked
before selection. Accept/reject run in the selected session.

OK! I see then. Thanks

No problem of asking the password first.
But if the connection is refused by the server (as described in my first post), is it possible return the message "You connection has been rejected" as past ?

It now showing "authentication rejected" may confuse the user.

Test are possible impacted by the blacklist.
3x reject is blacklist
Then you need to wait some time before you can try again

I even don't know the server having such feature.
From which version was this feature implemented on UltraVNC. I really wnat to know more about this


I do the test again, I see this effect now ... but not 3x incorrect input, I found the server reject the connection request directly after 6x wrong password input.

[Rudi De Vos]

Black list exist already for a long time... 1.00

X time wrong passwd, and you need to wait before you can try again.
This was a messure against brute force passwd attacks.
winvnc handle the reject as a wrong password

I need to check to source for numbers, could be 3X or 6x and 30sec or 1 minute....
Time increase each time you pass a wrong passwd again...