Check for RealVNC auth bypass even if other auth types are offered

2025-12-06 04:31:29 +00:00 · 2017-03-15 16:19:55 +00:00
parent 8854d2e33a
commit c98a547104
1 changed files with 11 additions and 1 deletions
--- a/scripts/realvnc-auth-bypass.nse
+++ b/scripts/realvnc-auth-bypass.nse
@@ -74,11 +74,21 @@ request in which the client specifies an insecure security type such as
  socket:send("RFB 003.008\n")
  status, result = socket:receive_bytes(2)

-  if (not status or result ~= "\001\002") then
+  if not status then
    socket:close()
    return report:make_output(vuln)
  end

+  local numtypes = result:byte(1)
+  for i=1, numtypes do
+    local sectype = result:byte(i+1)
+    if sectype == 1 then
+      --already supports None auth
+      socket:close()
+      return report:make_output(vuln)
+    end
+  end
+
  socket:send("\001")
  status, result = socket:receive_bytes(4)