There is two things I want to point out. I address the confidentiality of the packets travelling over the net, and the design weaknesses of the protocol. I do not know in deetail the VNC authentication algorithm, but if it uses DES as this thread implies, then it is suceptible to brute-force attacks. No matter how good the pseudo-random challenge value is. >VNC uses a DES-encrypted challenge-response system to avoid passing passwords >over the wire in plaintext. > A secure channel is a pretty good solution to the replay attack. Or in any event, to prevent sniffers form reusing responses to the reused challenges, the challenge packets should have an always-changing padding value, e.g. get rnd send E_K ( timestamp | rnd) This would keep the challenges repetitions unnoticed by sniffers. Notice that this doesn't prevent the brute-force attack (e.g., if an attacker decrypts challenge and response he gets the key and will be forever happy). There are also some minor drawbacks of this authentication procedure, e.g., the packets integrity is never checked, the server is not authenticated. This problems do not pose a direct threat on the use of VNC, and in turn can be solved using secure channels. Ssh is then a good option. Ariel Waissbein ====================[ CORE Security Technologies ]================== Ariel Waissbein Senior Researcher - Corelabs Pgp Fingerprint: 8D5E 46CC A6DA C46F 1EBC C3D3 210A 37F0 8A47 76AA email : ariel_waissbein@corest.com url: http://www.corest.com ============================================================= I was scared. Petrified. Because (x) hearing voices isn't like catching a cold, you can't get rid of it with lemmon tea (y) it's inside, it is not some naevus, an epidermal blemish you can cover up or cauterise (z) I had no control over it. It was there of its own volition, just stopped in and (zz) I was going bananas. -Tibor Fischer ``The Thought Gang"
