scripts/realvnc-auth-bypass.nse


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110

local nmap = require "nmap"
local shortport = require "shortport"
local vulns = require "vulns"

description = [[
Checks if a VNC server is vulnerable to the RealVNC authentication bypass
(CVE-2006-2369).
]]
author = "Brandon Enright"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"

---
-- @see vnc-brute.nse
-- @see vnc-title.nse
--
-- @output
-- PORT     STATE SERVICE VERSION
-- 5900/tcp open  vnc     VNC (protocol 3.8)
-- | realvnc-auth-bypass:
-- |   VULNERABLE:
-- |   RealVNC 4.1.0 - 4.1.1 Authentication Bypass
-- |     State: VULNERABLE
-- |     IDs:  CVE:CVE-2006-2369
-- |     Risk factor: High  CVSSv2: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
-- |       RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and
-- |       Cisco CallManager, allows remote attackers to bypass authentication via a
-- |       request in which the client specifies an insecure security type such as
-- |       "Type 1 - None", which is accepted even if it is not offered by the server.
-- |     Disclosure date: 2006-05-08
-- |     References:
-- |       http://www.intelliadmin.com/index.php/2006/05/security-flaw-in-realvnc-411/
-- |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2369
categories = {"auth", "safe", "vuln"}


portrule = shortport.port_or_service({5900,5901,5902}, "vnc")

action = function(host, port)
  local socket = nmap.new_socket()
  local result
  local status = true

  local vuln = {
    title = "RealVNC 4.1.0 - 4.1.1 Authentication Bypass",
    IDS = { CVE = "CVE-2006-2369" },
    risk_factor = "High",
    scores = {
      CVSSv2 = "7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)",
    },
    description = [[
RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and
Cisco CallManager, allows remote attackers to bypass authentication via a
request in which the client specifies an insecure security type such as
"Type 1 - None", which is accepted even if it is not offered by the server.]],
    references = {
      'http://www.intelliadmin.com/index.php/2006/05/security-flaw-in-realvnc-411/',
    },
    dates = {
      disclosure = {year = '2006', month = '05', day = '08'},
    },
    state = vulns.STATE.NOT_VULN,
  }
  local report = vulns.Report:new(SCRIPT_NAME, host, port)

  socket:connect(host, port)

  status, result = socket:receive_lines(1)

  if (not status) then
    socket:close()
    return report:make_output(vuln)
  end

  socket:send("RFB 003.008\n")
  status, result = socket:receive_bytes(2)

  if not status then
    socket:close()
    return report:make_output(vuln)
  end

  local numtypes = result:byte(1)
  for i=1, numtypes do
    local sectype = result:byte(i+1)
    if sectype == 1 then
      --already supports None auth
      socket:close()
      return report:make_output(vuln)
    end
  end

  socket:send("\001")
  status, result = socket:receive_bytes(4)

  if (not status or result ~= "\000\000\000\000") then
    socket:close()
    return report:make_output(vuln)
  end

  -- VULNERABLE!
  vuln.state = vulns.STATE.VULN

  socket:close()
  -- Cache result for other scripts to exploit.
  local reg = host.registry[SCRIPT_NAME] or {}
  reg[port.number] = true
  host.registry[SCRIPT_NAME] = reg

  return report:make_output(vuln)
end