[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] RealVNC 4.1.1 Remote Compromise

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] RealVNC 4.1.1 Remote Compromise
From: Joachim Schipper <j.schipper@xxxxxxxxxx>
Date: Mon, 15 May 2006 18:36:56 +0200

On Mon, May 15, 2006 at 07:58:10AM -0500, Dixon, Wayne wrote:
> So what can be done about this exploit?  Does 4.1.2 protect against this
> vulnerability?  And what other mitigation procedures are available for
> this?

The best solution is not to run a VNC service using no more than it's
own authentication. Most offer only password auth, which is quite simply
insufficient. Use some auth scheme based on certificates or somesuch -
ssh, IPSec and OpenVPN all offer this capability.

                Joachim

References:
- RealVNC 4.1.1 Remote Compromise
  - From: James Evans

Prev by Date: XSS in orkut.com
Next by Date: FrontRange iHeat Vulnerability
Previous by thread: RealVNC 4.1.1 Remote Compromise
Next by thread: re: RealVNC 4.1.1 Remote Compromise
Index(es):
- Date
- Thread