The security of remote tech support (ultravnc sc or x11vnc with wrapper script)

Well, I’ve got a nice way of doing “easy” one click (or one cut and paste) light desktop support for windows or linux, one uses ultravnc sc, the other uses x11vnc with a special wrapper script. So, what security flaws are there in this process? Well, for starters, I see the biggest vulnerability for the computer running the listening vncviewer (because it HAS to be available to the outside world.) That means the tech support desk must keep on top of vncviewer updates and keep the service turned off when not expecting a client connection. The other question that comes to mind is encryption though….

There are ways to encrypt ultravnc sc and x11vnc, the ultravnc sc would probably be a bit more straightforward with the dsm encryption plugin, however the x11vnc encryption, as best as I can see would have to be through a ssh tunnel. Which might not be the best (ssh tunnel would require a login on the remote machine, or a user from the remote machine to log on to the support machine…) either one of those opens up more worms than it MIGHT be worth. Why would we be concerned about encryption..? If it were a static vnc setup, with a server available most of the time, we would have password authentication and wouldn’t want someone snooping our password. SSH encryption would prevent that. However, that’s not the model that the remote tech support “single click” approach uses….

In this case the server initiates the connection to a hard coded viewer. That session could be eavesdropped on I suppose since it’s in the clear, but I don’t see it being of much value as most mitm attacks are geared at pulling text out of login sessions, text out of web page downloads (hijack domains by substituting text that’s in the clear…) It’s not obvious to me that the framebuffer binary screen refreshes could be snooped as easily, or…. in this case, what an attacker could actually do with the stream of data. Usually, such things are used to gain access to the machine, but in this case, the server goes away after the connection, so there’s no advantage to be gained there.

I hope at some point to sit down and look at what “tools” there might be to view vnc sessions and look at what they’re geared towards. The last I saw though, password information (of the vnc server login) was the goal and I don’t know that I’ll find anything otherwise. So, that angle of the security of the plain text vnc is still an open question, but I’m doubtful that this setup would be a great risk. (Plain text connections to a password protected vnc server ARE a greater risk… if you’re setting up a vncserver for permanent “outside world” accessibility, encrypt connections to it somehow.)

The worst case there that I see is that someone can eavesdrop on the support session by viewing it. (Much the same way jpg’s can be displayed from a hijacked browsing stream?) Maybe keystrokes from the client could be parsed, but with the tools I just looked at, there aren’t *easy* ways to do it, like there are easy ways to capture say, an email login over pop3….

It looks as though the x11vnc writer is looking at integrating stunnel ssl encryption in a future release, that MIGHT be a great answer to simplify encrypting the linux remote tech support connection, but shared libraries might get in the way of wide-compatibility.

As for the wrapper script, that’s the achilles heel in the linux version of this. I think, it would be possible for someone to alter the $REMOTELISTENER machine name on the fly and hijack a session that way. Of course, they could also hijack the initial wget call and substitute some other file in place of the script. Of course, I would think for someone to take that effort, they would be intent on targetting you specifically. (given that it’s a text string I wonder if that could be substituted in a binary download of the ultravnc sc as well? There it would probably have to be the same length as the original…)

As I think about the script there may be ways to improve the error checking on that to make it harder for such a hijack to happen. I think the chances of someone trying that are probably low and would indicate a TARGETTED interest in monitoring/hijacking a specific persons connection through the scripted run.

Related Posts

Blog Traffic Exchange Related Posts
  • Windows 98 and ME in final days of support (6 by my count) July 11th will mark the end of Microsoft's support for Windows 98 and ME. Which means that there will be no further security updates for those systems after that date. In SOME ways, those systems may find comfort in the security through obscurity approach as much malware MAY not run......
  • Using screen to connect multiple users to a shell session I NEVER knew you could use screen for this.... Let multiple users connect to the same Console (command shell/bash shell) session simultaneously. I've looked at screen before. It's a great *nix utility that's available for most linux distributions. The primary use I've seen for it is to be able to......
  • Ebay "sell your item" upgrade leaves linux behind? Ebay is apparently aware of some problems with their new "Sell your item" tool and linux web browsers. The article above says that they tried with several browsers windows/linux/mac and the common denominator was linux. Even firefox on linux failed where firefox on windows worked (and the user agent......
Blog Traffic Exchange Related Websites
  • Ten Steps To Become a Linux/Unix Geek Until recently, Linux/Unix was considered OS of the geeks. However, with GUI and more desktop Linux distributions, things have simplified on both Linux and Unix. Still you can geek out with Unix/Linux using its terminal. Just follow the steps below to master the terminal. 1. Never used Linux! Get Ubuntu......
  • Encryption: Never Leave Home Without It As portable drives have gotten physically smaller and larger in storage capacity, they've become an indespensible gadget for many.  If you use yours to store vital and sensitive information, you need to secure that information with encryption.  I should not need to tell you about the long list of......
  • Microsoft Security Bulletin MS10-046 - Critical Microsoft Security Bulletin MS10-046 - Critical Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198) Published: August 02, 2010 | Updated: August 03, 2010 Version: 1.1 General Information Executive Summary This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon......    Send article as PDF   

Similar Posts

See what happened this day in history from either BBC Wikipedia
Amazon Logo

Comments are closed.

Switch to our mobile site