Check for RealVNC auth bypass even if other auth types are offered

nmap · Mar 15, 2017 · c98a547 · c98a547
1 parent 8854d2e
commit c98a547
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/scripts/realvnc-auth-bypass.nse b/scripts/realvnc-auth-bypass.nse
@@ -74,11 +74,21 @@ request in which the client specifies an insecure security type such as
   socket:send("RFB 003.008\n")
   status, result = socket:receive_bytes(2)
 
-  if (not status or result ~= "\001\002") then
+  if not status then
     socket:close()
     return report:make_output(vuln)
   end
 
+  local numtypes = result:byte(1)
+  for i=1, numtypes do
+    local sectype = result:byte(i+1)
+    if sectype == 1 then
+      --already supports None auth
+      socket:close()
+      return report:make_output(vuln)
+    end
+  end
+
   socket:send("\001")
   status, result = socket:receive_bytes(4)