Is UltraVNC safe from the VNC Injection Exploit?

[scottwilkins]

This is making a lot of news since it was showed to M$ recently. However, I can't find where UltraVNC was tested. Does anyone know if it has been tested and if it passes or not?

http://www.google.com/search?q=VNC+injection+exploit

http://news.yahoo.com/news?tmpl=story&c ... s_nf/36563

[Marscha]

My understanding is that not UltraVNC is exploited but that through some windows bugs this exploit carries a VNC payload.
I.e. it installs a modified VNC server on the exploited system.

[MajikUF]

Well, then maybe someone can explain how my system was taken over last night. After going through all of the logs, I see a VNC connection from belgium and then some software was installed. Fortunately for me, the guy disabled the VNC service and my machine rebooted. Upon reboot, zonealarm (which was off) came up and blocked everything

[Marscha]

see e.g. http://www.metasploit.com/projects/Fram ... ode52.html

In your case it seems that some virus, trojan, etc. took over the system and installed a "customized" VNC server.
This is not related to UltraVNC.

[MajikUF]

It certainly wasn't a virus/trojan. It was a person who was able to access my computer via UltraVNC 1.0. My computer is XP SP2 patched 100% and NOD32 was running and updated. I'm a CISSP so I have a pretty good grasp on what has happened, and it wasn't a virus.

Would there be any logs (failure or otherwise) anywhere in maybe the event log that would log a brute force attack?

I have an event log of an IP in belgium logging into VNC. (It's in the event) My account was logged in with the machine locked. The Administrator user (not my user) was used to install several applications. I managed to find a .RAR file with a lot of hacking files in it and WINRAR install program on my PC that weren't there before.

[Rudi De Vos]

The server record all loggon events in the standard NT event logger and in a file mslogon.log.

Where you using the encryption plugin ?
mslogon, standard vnc passwords?

[MajikUF]

I'll check that log when I get home. (AT WORK NOW)

I wasn't using any of the plugins, just a standard VNC password 7 characters long. I would think that would be too long for a brute force.

[UltraSam]

Sorry for your problem

7 chars paasword is considered as week but I don t think it was a brute force attackm cause theres a temporization and protection against this kind of attack in all VNC flavors,

Possibilities:

- Your password is easy to guess : by *friends* or collegues ?
- Your password was sniffed using an spyware or a virus or a VNC password cracker
- You werent attacked using a winvnc server
- It was a *man in the middle* kind of attack: do you connect from a LAN (work ?) at home ? In this case it is very easy for someone on your LAN that has a modified WinVNC + a sniffer to use this trick.

Suggestion: use the UltraVNC dsmplugin and/or MSLogon

[Marscha]

You definitely need encryption (dsmplugin).
Password protection with MSLogon is not stronger than with classic VNC authentication.

[mbrown]

I though I would chime in here and relate what happened to me last week. On July 12th, someone tried to brute force their way onto one of my remote servers. I noticed because my application event log was full (Windows 2000 Server). Anyway, for over 11 hours, an average of three attempts per minute was made, all failing. I do not employ encryption or MSLogon, but my password is a jumble of letters with varying capitalization, numbers, and symbols. Fortunately, that password saved us from having someone gain control of our backup data server, which has a copy of ALL of our company data. Whew.

Subsequently, I have disabled all Internet port fowarding and only connect to remote machines through VPN tunnels.