Well, I’ve got a nice way of doing “easy” one click (or one cut and paste) light desktop support for windows or linux, one uses ultravnc sc, the other uses x11vnc with a special wrapper script. So, what security flaws are there in this process? Well, for starters, I see the biggest vulnerability for the computer running the listening vncviewer (because it HAS to be available to the outside world.) That means the tech support desk must keep on top of vncviewer updates and keep the service turned off when not expecting a client connection. The other question that comes to mind is encryption though….
There are ways to encrypt ultravnc sc and x11vnc, the ultravnc sc would probably be a bit more straightforward with the dsm encryption plugin, however the x11vnc encryption, as best as I can see would have to be through a ssh tunnel. Which might not be the best (ssh tunnel would require a login on the remote machine, or a user from the remote machine to log on to the support machine…) either one of those opens up more worms than it MIGHT be worth. Why would we be concerned about encryption..? If it were a static vnc setup, with a server available most of the time, we would have password authentication and wouldn’t want someone snooping our password. SSH encryption would prevent that. However, that’s not the model that the remote tech support “single click” approach uses….
In this case the server initiates the connection to a hard coded viewer. That session could be eavesdropped on I suppose since it’s in the clear, but I don’t see it being of much value as most mitm attacks are geared at pulling text out of login sessions, text out of web page downloads (hijack domains by substituting text that’s in the clear…) It’s not obvious to me that the framebuffer binary screen refreshes could be snooped as easily, or…. in this case, what an attacker could actually do with the stream of data. Usually, such things are used to gain access to the machine, but in this case, the server goes away after the connection, so there’s no advantage to be gained there.
I hope at some point to sit down and look at what “tools” there might be to view vnc sessions and look at what they’re geared towards. The last I saw though, password information (of the vnc server login) was the goal and I don’t know that I’ll find anything otherwise. So, that angle of the security of the plain text vnc is still an open question, but I’m doubtful that this setup would be a great risk. (Plain text connections to a password protected vnc server ARE a greater risk… if you’re setting up a vncserver for permanent “outside world” accessibility, encrypt connections to it somehow.)
The worst case there that I see is that someone can eavesdrop on the support session by viewing it. (Much the same way jpg’s can be displayed from a hijacked browsing stream?) Maybe keystrokes from the client could be parsed, but with the tools I just looked at, there aren’t *easy* ways to do it, like there are easy ways to capture say, an email login over pop3….
It looks as though the x11vnc writer is looking at integrating stunnel ssl encryption in a future release, that MIGHT be a great answer to simplify encrypting the linux remote tech support connection, but shared libraries might get in the way of wide-compatibility.
As for the wrapper script, that’s the achilles heel in the linux version of this. I think, it would be possible for someone to alter the $REMOTELISTENER machine name on the fly and hijack a session that way. Of course, they could also hijack the initial wget yoursite.com call and substitute some other file in place of the script. Of course, I would think for someone to take that effort, they would be intent on targetting you specifically. (given that it’s a text string I wonder if that could be substituted in a binary download of the ultravnc sc as well? There it would probably have to be the same length as the original…)
As I think about the script there may be ways to improve the error checking on that to make it harder for such a hijack to happen. I think the chances of someone trying that are probably low and would indicate a TARGETTED interest in monitoring/hijacking a specific persons connection through the scripted run.
Related PostsRelated Posts
- Running Windows applications under Linux There are a number of Windows applications that may not have suitable replacements under linux. I know a lot of people that have considered switching, but there was "one program holding them back." Fortunately there are several options on how to keep that one application from holding you back. Well......
- Ebay "sell your item" upgrade leaves linux behind? Ebay is apparently aware of some problems with their new "Sell your item" tool and linux web browsers. The linux.com article above says that they tried with several browsers windows/linux/mac and the common denominator was linux. Even firefox on linux failed where firefox on windows worked (and the user agent......
- Windows 98 and ME in final days of support (6 by my count) July 11th will mark the end of Microsoft's support for Windows 98 and ME. Which means that there will be no further security updates for those systems after that date. In SOME ways, those systems may find comfort in the security through obscurity approach as much malware MAY not run......
- Introducing to VBlogging In a lot of ways, text blogging has become a thing of the past. Folks are beginning to blog in other ways, including blogging in video and blogging in audio. Video blogs often tend to be more engaging, and they allow bloggers to use video channels and other unique opportunities......
- Microsoft Security Bulletin MS10-046 - Critical Microsoft Security Bulletin MS10-046 - Critical Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198) Published: August 02, 2010 | Updated: August 03, 2010 Version: 1.1 General Information Executive Summary This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon......
- Free Alternative to Good Old Games Kotaku posted a story yesterday about the launch of Good Old Games. There's no doubt that I love classic gaming, be it playing NES games on my Wii or old PC games. If the price is right, Good Old Games could definitely make some money serving a niche market. However,......
- Ultravnc for remote computer support
- Remote Tech Support using VNC (Ultravnc SC and x11vnc+wrapper script)
- Remote tech support with anything – would I do it?
- Exporting an active linux desktop with vnc, or vnc remote desktop under linux
- Remote Tech Support with x11vnc and wrapper script