On Wed, 24 Jul 2002 jepler@unpythonic.net wrote: > If your server will give the same challenge repeatedly, and you can > sniff somebody else's challenge and response, it appears that you could > authenticate without knowing the password simply by connecting within > the 1-second window to get the same challenge, and then send the same > response as the legitimate client. > > Another weakness in the challenge is that it uses 'random()%256'. Many > implementations of random() have highly predictable low bits. It's not > clear that this leads to as easy a compromise as the repeated challenge > problem, but it's something that warrants consideration.. While looking at this, I noticed (in 3.3.3r2) that VNC seems to use the password directly as a key to DES (truncating if the size is > 8 and padding with NULL if it's < 8). Since DES ignores the low bit of each byte of the key, this seems to mean that there are many different passwords which will be accepted in place of the "real" password. (Can someone confirm this is actually the case?) Between that and the fact that challenges are based only on time(0) [ie you can easily precompute every possible challenge the VNC server would send out over the next week], it _may be a bad idea to rely on VNC's built in authentication. Regards, Jack
