[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] RealVNC 4.1.1 Remote Compromise

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] RealVNC 4.1.1 Remote Compromise
From: Michael Holstein <michael.holstein@xxxxxxxxxxx>
Date: Mon, 15 May 2006 12:42:51 -0400

So what can be done about this exploit?  Does 4.1.2 protect against this
vulnerability?  And what other mitigation procedures are available for
this?

Well, VNC hasn't exactly been legendary for security .. but if you dorun it, one safe(er) way to do so is bind VNC to localhost, and use sshdand port-redirection to access it.

Of course, then you've got to pay attention to patches in OpenSSH, butthat's got a better track record, and allows you to do RSA auth, etc.


Cheers,

Michael Holstein CISSP GCIA
Cleveland State University

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- RE: [Full-disclosure] RealVNC 4.1.1 Remote Compromise
  - From: Dixon, Wayne

Prev by Date: Re: [Full-disclosure] RealVNC 4.1.1 Remote Compromise
Next by Date: Re: [Full-disclosure] Microsoft MSDTC NdrAllocate Validation Vulnerability
Previous by thread: Re: [Full-disclosure] RealVNC 4.1.1 Remote Compromise
Next by thread: [Full-disclosure] Re: RealVNC 4.1.1 Remote Compromise
Index(es):
- Date
- Thread