VNC Authentication None Detection

2008-06-0604:29:41

Matteo Cantoni <[email protected]>, jduck <[email protected]>

www.rapid7.com

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.971

Percentile

99.8%

JSON

Detect VNC servers that support the “None” authentication method.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name' => 'VNC Authentication None Detection',
      'Description' => 'Detect VNC servers that support the "None" authentication method.',
      'References' => [
        ['CVE', '2006-2369'], # a related instance where "None" could be offered and used when not configured as allowed.
        ['URL', 'https://en.wikipedia.org/wiki/RFB'],
        ['URL', 'https://en.wikipedia.org/wiki/Vnc'],
      ],
      'Author' => [
        'Matteo Cantoni <goony[at]nothink.org>',
        'jduck'
      ],
      'License' => MSF_LICENSE
    )

    register_options(
      [
        Opt::RPORT(5900)
      ]
    )
  end

  def run_host(target_host)
    connect
    vnc = Rex::Proto::RFB::Client.new(sock, allow_none: true)
    unless vnc.handshake
      print_error("#{target_host}:#{rport} - Handshake failed: #{vnc.error}")
      return
    end

    ver = "#{vnc.majver}.#{vnc.minver}"
    print_status("#{target_host}:#{rport} - VNC server protocol version: #{ver}")
    svc = report_service(
      host: rhost,
      port: rport,
      proto: 'tcp',
      name: 'vnc',
      info: "VNC protocol version #{ver}"
    )

    type = vnc.negotiate_authentication
    unless type
      print_error("#{target_host}:#{rport} - Auth negotiation failed: #{vnc.error}")
      return
    end

    # Show the allowed security types
    sec_type = []
    vnc.auth_types.each do |t|
      sec_type << Rex::Proto::RFB::AuthType.to_s(t)
    end
    print_status("#{target_host}:#{rport} - VNC server security types supported: #{sec_type.join(', ')}")

    if (vnc.auth_types.include? Rex::Proto::RFB::AuthType::None)
      print_good("#{target_host}:#{rport} - VNC server security types includes None, free access!")
      report_vuln(
        {
          host: rhost,
          service: svc,
          name: name,
          info: "Module #{fullname} identified the VNC 'none' security type: #{sec_type.join(', ')}",
          refs: references,
          exploited_at: Time.now.utc
        }
      )
    end
  ensure
    disconnect
  end
end