Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

Is UltraVNC safe from the VNC Injection Exploit?

Post Reply
scottwilkins
8
8
Posts: 9
Joined: 2005-06-20 03:10

Is UltraVNC safe from the VNC Injection Exploit?

Post by scottwilkins »

This is making a lot of news since it was showed to M$ recently. However, I can't find where UltraVNC was tested. Does anyone know if it has been tested and if it passes or not?

http://www.google.com/search?q=VNC+injection+exploit

http://news.yahoo.com/news?tmpl=story&c ... s_nf/36563
Marscha
Former moderator
Former moderator
Posts: 464
Joined: 2004-05-14 06:48

Post by Marscha »

My understanding is that not UltraVNC is exploited but that through some windows bugs this exploit carries a VNC payload.
I.e. it installs a modified VNC server on the exploited system.
MajikUF

Post by MajikUF »

Well, then maybe someone can explain how my system was taken over last night. After going through all of the logs, I see a VNC connection from belgium and then some software was installed. Fortunately for me, the guy disabled the VNC service and my machine rebooted. Upon reboot, zonealarm (which was off) came up and blocked everything
Marscha
Former moderator
Former moderator
Posts: 464
Joined: 2004-05-14 06:48

Post by Marscha »

see e.g. http://www.metasploit.com/projects/Fram ... ode52.html

In your case it seems that some virus, trojan, etc. took over the system and installed a "customized" VNC server.
This is not related to UltraVNC.
MajikUF

Post by MajikUF »

It certainly wasn't a virus/trojan. It was a person who was able to access my computer via UltraVNC 1.0. My computer is XP SP2 patched 100% and NOD32 was running and updated. I'm a CISSP so I have a pretty good grasp on what has happened, and it wasn't a virus.

Would there be any logs (failure or otherwise) anywhere in maybe the event log that would log a brute force attack?

I have an event log of an IP in belgium logging into VNC. (It's in the event) My account was logged in with the machine locked. The Administrator user (not my user) was used to install several applications. I managed to find a .RAR file with a lot of hacking files in it and WINRAR install program on my PC that weren't there before.
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6863
Joined: 2004-04-23 10:21
Contact:

Post by Rudi De Vos »

The server record all loggon events in the standard NT event logger and in a file mslogon.log.

Where you using the encryption plugin ?
mslogon, standard vnc passwords?
MajikUF
Posts: 1
Joined: 2005-07-19 17:09

Post by MajikUF »

I'll check that log when I get home. (AT WORK NOW)

I wasn't using any of the plugins, just a standard VNC password 7 characters long. I would think that would be too long for a brute force.
UltraSam
Admin & Developer
Admin & Developer
Posts: 462
Joined: 2004-04-26 20:55
Contact:

Post by UltraSam »

Sorry for your problem :(

7 chars paasword is considered as week but I don t think it was a brute force attackm cause theres a temporization and protection against this kind of attack in all VNC flavors,

Possibilities:

- Your password is easy to guess : by *friends* or collegues ?
- Your password was sniffed using an spyware or a virus or a VNC password cracker
- You werent attacked using a winvnc server
- It was a *man in the middle* kind of attack: do you connect from a LAN (work ?) at home ? In this case it is very easy for someone on your LAN that has a modified WinVNC + a sniffer to use this trick.

Suggestion: use the UltraVNC dsmplugin and/or MSLogon
UltraSam
Marscha
Former moderator
Former moderator
Posts: 464
Joined: 2004-05-14 06:48

Post by Marscha »

You definitely need encryption (dsmplugin).
Password protection with MSLogon is not stronger than with classic VNC authentication.
mbrown
20
20
Posts: 44
Joined: 2004-04-24 02:20
Location: Chicago, IL USA

Post by mbrown »

I though I would chime in here and relate what happened to me last week. On July 12th, someone tried to brute force their way onto one of my remote servers. I noticed because my application event log was full (Windows 2000 Server). Anyway, for over 11 hours, an average of three attempts per minute was made, all failing. I do not employ encryption or MSLogon, but my password is a jumble of letters with varying capitalization, numbers, and symbols. Fortunately, that password saved us from having someone gain control of our backup data server, which has a copy of ALL of our company data. Whew.

Subsequently, I have disabled all Internet port fowarding and only connect to remote machines through VPN tunnels.
Michael
Post Reply