ThinVNC 1.0b1 - Authentication Bypass
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
ThinVNC 1.0b1 - Authentication Bypass
Code name
State
Public
Release date
13 abr 2022
Affected product
ThinVNC
Affected version(s)
Version 1.0b1
Vulnerability name
Authentication Bypass
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS v3.1 base score
10.0
Exploit available
Yes
CVE ID(s)
Description
ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via http://thin-vnc:8080/cmd?cmd=connect
by obtaining a valid SID
without any kind of authentication. It is possible to achieve code execution on the server by sending keyboard or mouse events to the server.
Proof of Concept
Send the following request to the application in order to obtain a valid
SID
.Obtain the
SID
from the server response and add it to the following request in order to validate theSID
Now it is possible to send keystrokes or mouse moves to the server using the validated
SID
Exploit
The following exploit can be used to obtain a reverse shell on the server running the ThinVNC application.
The following code can be used to take screenshots of the VNC session.
Mitigation
By 2022-04-13 there is not a patch resolving the issue.
References
Timeline
5 abr 2022
Vulnerability discovered
5 abr 2022
Vendor contacted
13 abr 2022
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.