<<< Date Index >>>     <<< Thread Index >>>

Vulnerability in the way Ultr@xxxxxxxxx handles MS-Logon Authentication.



AGR IT Advisory
May 2, 2006
AGR-ADV-2006-01

TITLE: Vulnerability in the way Ultr@xxxxxxxxx handles MS-Logon Authentication.

Overview

Deon Force discovered a vulnerability in Ultr@VNC 1.0.1 and earlier versions 
with MS-Logon I and MS-Logon II authentication that may allow attackers to 
crack the windows password directly from the intercepted challenge response of 
MS-Logon traffic. This is due to the way Ultr@VNC handle the MS-Logon 
authentication.

Description

Ultr@VNC (available at http://ultravnc.sourceforge.net/) is a free software 
that can display the screen of another computer (via internet or network) on 
your own screen. The program remotely controls the other PC over any TCP/IP 
connection for administering and support.
While analyzing the MS-Logon authentication of Ultr@VNC, our team had found 
that it is possible to crack the MS-Logon authentication. It uses a simple 
algorithm to generate a response from the challenge sent by the VNC server to 
the VNC client and the username is sent in plain text. 
Our team has made an update to the VNCrackX4 which is capable to crack the 
intercepted challenge response of the MS-Logon authentication. It is based on 
the original version of VNCrackX4 from phenoelit available for download at 
www.phenoelit.de/vnccrack/download.html. The updated version of VNCrackX4 is or 
will be available at the same location.

Problems

The challenge response authentication process involve insecure and reversible 
algorithm (XOR).
An attacker can extract the windows password from the intercepted challenge // 
response.

Impact

Successfully sniffing the authentication session will compromise the windows 
account used for authentication.
This account can further be used to compromise the system or other system in 
the same domain or network.

Solution

We recommend not to use MS-Logon authentication method with Ultr@VNC until the 
algorithms used for authentication are improved.
A workaround to this vulnerability would be to use end-to-end encryption for 
the communication between the server and the client. Implementing a VPN 
solution could prevent an attacker from intercepting the session authentication 
exchange.
Another solution is to use the DSM Plug-in available at 
http://msrc4plugin.home.comcast.net/index.html provided that the key file is 
kept secure.

Credit

This vulnerability was discovered and researched by Deon Force. It was first 
reported to the Ultr@VNC team on 21 April 2006.

Copyright

This document is not to be edited or altered in any way without the express 
written consent of AGR(B) Sdn. Bhd. If you wish to reprint the whole or any 
part of this document, please email no_sp@m_support@asia-global-risk.com for 
permission. You may provide links to this document from your web site, and you 
may make copies of this document in accordance with international copyright 
laws. 

Disclaimer

The information within this document may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are NO 
warranties, implied or otherwise, with regard to this information or its use. 
Any use of this information is at the user's risk. In no event shall the 
author/distributor be held liable for any damages whatsoever arising out of or 
in connection with the use or spread of this information.

About Deon Force

Deon Force is a team of security experts working in collaboration with Asia 
Global Risk.

About Asia Global Risk

Asia Global Risk is a risk management company providing a wide range of 
security services, including IT security.
Website: http://www.asia-global-risk.com

Revisions:

Version 0.1 April 21 -2006 ? Draft version.
Version 1.0 May 2 -2006 ? First Public Version.
An updated version of this document may be found at this address: 
http://www.asia-global-risk.com/IT/AGR_IT_ADV_2006-01-VNC.pdf