Make realvnc-auth-bypass a vulns script, store result for other scripts to exploit

2025-12-26 01:19:03 +00:00 · 2017-03-03 19:39:56 +00:00
parent 4b686da521
commit 2a5b23f025
1 changed files with 38 additions and 7 deletions
--- a/scripts/realvnc-auth-bypass.nse
+++ b/scripts/realvnc-auth-bypass.nse
@@ -1,5 +1,6 @@
 local nmap = require "nmap"
 local shortport = require "shortport"
+local vulns = require "vulns"

 description = [[
 Checks if a VNC server is vulnerable to the RealVNC authentication bypass
@@ -10,29 +11,52 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"

 ---
 -- @see vnc-brute.nse
+-- @see vnc-title.nse
 --
 -- @output
 -- PORT     STATE SERVICE VERSION
 -- 5900/tcp open  vnc     VNC (protocol 3.8)
 -- |_realvnc-auth-bypass: Vulnerable

-categories = {"auth", "default", "safe"}
+categories = {"auth", "safe", "vuln"}


-portrule = shortport.port_or_service(5900, "vnc")
+portrule = shortport.port_or_service({5900,5901,5902}, "vnc")

 action = function(host, port)
  local socket = nmap.new_socket()
  local result
  local status = true

+  local vuln = {
+    title = "RealVNC 4.1.0 - 4.1.1 Authentication Bypass",
+    IDS = { CVE = "CVE-2006-2369" },
+    risk_factor = "High",
+    scores = {
+      CVSSv2 = "7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)",
+    },
+    description = [[
+RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and
+Cisco CallManager, allows remote attackers to bypass authentication via a
+request in which the client specifies an insecure security type such as
+"Type 1 - None", which is accepted even if it is not offered by the server.]],
+    references = {
+      'http://www.intelliadmin.com/index.php/2006/05/security-flaw-in-realvnc-411/',
+    },
+    dates = {
+      disclosure = {year = '2006', month = '05', day = '08'},
+    },
+    state = vulns.STATE.NOT_VULN,
+  }
+  local report = vulns.Report:new(SCRIPT_NAME, host, port)
+
  socket:connect(host, port)

  status, result = socket:receive_lines(1)

  if (not status) then
    socket:close()
-    return
+    return report:make_output(vuln)
  end

  socket:send("RFB 003.008\n")
@@ -40,7 +64,7 @@ action = function(host, port)

  if (not status or result ~= "\001\002") then
    socket:close()
-    return
+    return report:make_output(vuln)
  end

  socket:send("\001")
@@ -48,10 +72,17 @@ action = function(host, port)

  if (not status or result ~= "\000\000\000\000") then
    socket:close()
-    return
+    return report:make_output(vuln)
  end

-  socket:close()
+  -- VULNERABLE!
+  vuln.state = vulns.STATE.VULN

-  return "Vulnerable"
+  socket:close()
+  -- Cache result for other scripts to exploit.
+  local reg = host.registry[SCRIPT_NAME] or {}
+  reg[port.number] = true
+  host.registry[SCRIPT_NAME] = reg
+
+  return report:make_output(vuln)
 end