Vulnerability in the way Ultr@xxxxxxxxx handles MS-Logon Authentication.
AGR IT Advisory
May 2, 2006
AGR-ADV-2006-01
TITLE: Vulnerability in the way Ultr@xxxxxxxxx handles MS-Logon Authentication.
Overview
Deon Force discovered a vulnerability in Ultr@VNC 1.0.1 and earlier versions
with MS-Logon I and MS-Logon II authentication that may allow attackers to
crack the windows password directly from the intercepted challenge response of
MS-Logon traffic. This is due to the way Ultr@VNC handle the MS-Logon
authentication.
Description
Ultr@VNC (available at http://ultravnc.sourceforge.net/) is a free software
that can display the screen of another computer (via internet or network) on
your own screen. The program remotely controls the other PC over any TCP/IP
connection for administering and support.
While analyzing the MS-Logon authentication of Ultr@VNC, our team had found
that it is possible to crack the MS-Logon authentication. It uses a simple
algorithm to generate a response from the challenge sent by the VNC server to
the VNC client and the username is sent in plain text.
Our team has made an update to the VNCrackX4 which is capable to crack the
intercepted challenge response of the MS-Logon authentication. It is based on
the original version of VNCrackX4 from phenoelit available for download at
www.phenoelit.de/vnccrack/download.html. The updated version of VNCrackX4 is or
will be available at the same location.
Problems
The challenge response authentication process involve insecure and reversible
algorithm (XOR).
An attacker can extract the windows password from the intercepted challenge //
response.
Impact
Successfully sniffing the authentication session will compromise the windows
account used for authentication.
This account can further be used to compromise the system or other system in
the same domain or network.
Solution
We recommend not to use MS-Logon authentication method with Ultr@VNC until the
algorithms used for authentication are improved.
A workaround to this vulnerability would be to use end-to-end encryption for
the communication between the server and the client. Implementing a VPN
solution could prevent an attacker from intercepting the session authentication
exchange.
Another solution is to use the DSM Plug-in available at
http://msrc4plugin.home.comcast.net/index.html provided that the key file is
kept secure.
Credit
This vulnerability was discovered and researched by Deon Force. It was first
reported to the Ultr@VNC team on 21 April 2006.
Copyright
This document is not to be edited or altered in any way without the express
written consent of AGR(B) Sdn. Bhd. If you wish to reprint the whole or any
part of this document, please email no_sp@m_support@asia-global-risk.com for
permission. You may provide links to this document from your web site, and you
may make copies of this document in accordance with international copyright
laws.
Disclaimer
The information within this document may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor be held liable for any damages whatsoever arising out of or
in connection with the use or spread of this information.
About Deon Force
Deon Force is a team of security experts working in collaboration with Asia
Global Risk.
About Asia Global Risk
Asia Global Risk is a risk management company providing a wide range of
security services, including IT security.
Website: http://www.asia-global-risk.com
Revisions:
Version 0.1 April 21 -2006 ? Draft version.
Version 1.0 May 2 -2006 ? First Public Version.
An updated version of this document may be found at this address:
http://www.asia-global-risk.com/IT/AGR_IT_ADV_2006-01-VNC.pdf