diff options
Diffstat (limited to '')
-rw-r--r-- | scripts/realvnc-auth-bypass.nse | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/scripts/realvnc-auth-bypass.nse b/scripts/realvnc-auth-bypass.nse new file mode 100644 index 0000000..298c12e --- /dev/null +++ b/scripts/realvnc-auth-bypass.nse @@ -0,0 +1,110 @@ +local nmap = require "nmap" +local shortport = require "shortport" +local vulns = require "vulns" + +description = [[ +Checks if a VNC server is vulnerable to the RealVNC authentication bypass +(CVE-2006-2369). +]] +author = "Brandon Enright" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" + +--- +-- @see vnc-brute.nse +-- @see vnc-title.nse +-- +-- @output +-- PORT STATE SERVICE VERSION +-- 5900/tcp open vnc VNC (protocol 3.8) +-- | realvnc-auth-bypass: +-- | VULNERABLE: +-- | RealVNC 4.1.0 - 4.1.1 Authentication Bypass +-- | State: VULNERABLE +-- | IDs: CVE:CVE-2006-2369 +-- | Risk factor: High CVSSv2: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) +-- | RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and +-- | Cisco CallManager, allows remote attackers to bypass authentication via a +-- | request in which the client specifies an insecure security type such as +-- | "Type 1 - None", which is accepted even if it is not offered by the server. +-- | Disclosure date: 2006-05-08 +-- | References: +-- | http://www.intelliadmin.com/index.php/2006/05/security-flaw-in-realvnc-411/ +-- |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2369 +categories = {"auth", "safe", "vuln"} + + +portrule = shortport.port_or_service({5900,5901,5902}, "vnc") + +action = function(host, port) + local socket = nmap.new_socket() + local result + local status = true + + local vuln = { + title = "RealVNC 4.1.0 - 4.1.1 Authentication Bypass", + IDS = { CVE = "CVE-2006-2369" }, + risk_factor = "High", + scores = { + CVSSv2 = "7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)", + }, + description = [[ +RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and +Cisco CallManager, allows remote attackers to bypass authentication via a +request in which the client specifies an insecure security type such as +"Type 1 - None", which is accepted even if it is not offered by the server.]], + references = { + 'http://www.intelliadmin.com/index.php/2006/05/security-flaw-in-realvnc-411/', + }, + dates = { + disclosure = {year = '2006', month = '05', day = '08'}, + }, + state = vulns.STATE.NOT_VULN, + } + local report = vulns.Report:new(SCRIPT_NAME, host, port) + + socket:connect(host, port) + + status, result = socket:receive_lines(1) + + if (not status) then + socket:close() + return report:make_output(vuln) + end + + socket:send("RFB 003.008\n") + status, result = socket:receive_bytes(2) + + if not status then + socket:close() + return report:make_output(vuln) + end + + local numtypes = result:byte(1) + for i=1, numtypes do + local sectype = result:byte(i+1) + if sectype == 1 then + --already supports None auth + socket:close() + return report:make_output(vuln) + end + end + + socket:send("\001") + status, result = socket:receive_bytes(4) + + if (not status or result ~= "\000\000\000\000") then + socket:close() + return report:make_output(vuln) + end + + -- VULNERABLE! + vuln.state = vulns.STATE.VULN + + socket:close() + -- Cache result for other scripts to exploit. + local reg = host.registry[SCRIPT_NAME] or {} + reg[port.number] = true + host.registry[SCRIPT_NAME] = reg + + return report:make_output(vuln) +end |