Kaseya Community

VNC Hacked?

  • I have a user who has a business pc that we manage at her house. She had been complaining of someone logging on remtoely to her system for the last couple of weeks. We scanned and tested the computer remotely for Trojans/Rootkits etc but found nothing.

    I checked the K server system logs for connections using VNC but there were none. I asked the user to watch the computer the next time it happened and to check the VNC icon to see if it turned black. Well it did.

    On further exam of her system we discovered she had no firewall. My question is, does VNC have any flaws that would allow them to gain access? I know an older version from realvnc 4.1.1.1 did have a flaw but it has since been fixed.

    I had thought VNC was encrypted back to the server.

    Legacy Forum Name: VNC Hacked?,
    Legacy Posted By Username: edguyer
  • As I understatand it, VNC Server runs on the local machine and is configured to accept connections from 127.0.0.1, that same local machine.

    The Kaseya Agent is then used to pipe the data and make the connection to VNC so that it appears to be connecting from the local machine.

    Two ways to manpulate this. (1) You could reconfigure the VNC server to accept connections from elsewhere. (2) A virus running on that machine could do the same thing and connect to the VNC server through 127.0.0.1 and pipe the connection anywhere.

    In the past we've used something as basic as netstat running every 5 minutes and appending to a file to see if there is a situation where a TCP connection is held open that we can't explain. In this case look for something using the VNC port.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: doug.jenkins@ispire.ca
  • I see that the version is 4.2.2 r13117, which has a known password bypass exploit.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: edguyer
  • Where's my rubber duckie? Man, you think because you say it in Latin it must sound profound?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: boudj
  • Profound, no. I actually use it to see what ferox or rudis comment I can get from people who obviously Googled for the answer.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: edguyer
  • Of course I googled for the answer, as a good IT guy I research things I don't know (cause there's a lot I don't know!) so I can learn... I just don't feel the need to be pretentious.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: boudj
  • http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4770

    with accept connections from local host only, you should be fine. if you had a copy of VNC installed previously (ie, RealVNC Free), it may transfer over some settings. I just checked, and my local copy was not limited to local connections. I reinstalled RC from Kaseya and it fixed itself.

    edit: entered support ticket to notify developers in case they are unaware.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: nevesis
  • A ticket would be the best way to communicate this to Kaseya...

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: ReedMikel
  • nevesis
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4770

    with accept connections from local host only, you should be fine. if you had a copy of VNC installed previously (ie, RealVNC Free), it may transfer over some settings. I just checked, and my local copy was not limited to local connections. I reinstalled RC from Kaseya and it fixed itself.

    edit: entered support ticket to notify developers in case they are unaware.


    That would be my guess... Im guessing she already had VNC installed before hand and it is still allowing incoming connections.

    Perhaps uninstall it and let Kaseya configure from scratch. I would also run a portscan on her connection to see what other ports are allowed through.

    Why is her router passing through all traffic anyway? Or I guess she could have a modem instead.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Eelkov@aanet.com.au
  • There is a concern with K-VNC running on a Terminal Server. A standard user can access the VNC Server Properties (User Mode). Opening this application generates a new security key and allows you very easily change or even remove the password authentication. Then the user can run the VNC Viewer to connect to 127.0.0.1 and access the console session of the Terminal Server. If your administrator forgot to lock their console session, the user now has admin rights Eek

    Fortunately, we haven't found a way to force VNC to listen to anything other than the loopback address without reinstalling the application.

    We've worked around this problem by writing a script that removes the Start Menu entries for VNC Viewer. We're also playing around with changing the security rights on the VNC program files directory.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: ttroyer@emaple.net
  • Hi all

    I would like to clarify a couple of issues that have been raised on this thread: -

    1) the vulnerability that nevesis refers to affects the VNC Server build deployed to the remote machine when "WinVNC" is used. K-VNC uses VNC Enterprise Edition 4.4.3, which is not affected. I have alerted our Development team to the fact that WinVNC may be subject to this vulnerability.

    2) when a K-VNC or WinVNC session is started from Kaseya, and any other version of RealVNC is detected on the remote machine, scripts are run to remove the current version and install the correct version for the VNC type being used (Free Edtn 4.1.2 for WinVNC, Ent Edtn 4.4.3 for K-VNC). It is possible that settings such as 'only allow local connections' from a previous install may be kept, if it was the exact same RealVNC Server build. Also they may be changed after installation by anyone who has administrative control over the remote machine.

    3) Kaseya sets a new random password every time a VNC session is started. This password can be changed by anyone who has administrative control over the remote machine, and this would be reset again by Kaseya the next time VNC is used.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: dwalsh
  • I can understand that VNC has implicit security issues running on a terminal server. At the very least, there should be a way for the Kaseya Master Admin to administratively disable the installation of KVNC. That would fix this problem and the problem of accidentally removing legitimate installation of VNC pre-existing on an agent.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: ttroyer@emaple.net
  • Late getting back to this but better late than never.

    To answer ReedMikel, a ticket was opened with Kaseya. There answer was lacking to say it kindly. Their response almost verbatim was, "It can't happen. Kaseya uses a secure system the cannot be hacked". Whenever I hear those claims I immediatley think the person is a bonehead.

    The version of VNC used with Kaseya has a known security hole that allows it to be hijacked. End of story. Kasyea can say what they want but it is well documented.

    Now, it takes another bonehead to put themselves in the position of getting hacked. In my case the user had taken their computer home with them (desktop) to work from home while on maternaty leave. She had no firewall on her home internet connection. They attacker was able to spoof her IP and MAC address bypassing Kasyea's fool proof security.

    Granted the user did this to themselves and did not follow any type of best practice (including not telling us she moved the pc) but Kaseya dismissed my concerns out of hand right away. I can understand towing the company line to the public and world but you should always take all security concerns very seriously.

    After the support agent closed the ticket. I completed the survey and gave them my concerns, never heard another word about the issue.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: edguyer
  • edguyer, I checked your ticket and with all due respect we did not tell you that "it can't happen". Here is what we did advise you at the time (March 20th). It clearly states that you may be vulnerable without a firewall, and I have also ackowledged the vulnerability elsewhere in this thread. We have also since reproduced and hotfixed the terminal services vulnerability with K-VNC raised by ttroyer (this was an issue with the Kaseya scripts that intitiate the VNC server service).

    One thing that is not mentioned in the KB articles you were sent is that each time a VNC session is initiated from the VSA, a new random password is set in VNC Server on the remote machine. This password is sent encrypted and there is no way that someone can know it.

    If you use K-VNC then the VNC server version deployed to the endpoint is Enterprise Edtn 4.4.3 (r14632).

    Having said that, if you don't have a firewall in place you may still be subject to any vulnerabilities affecting the VNC application. Our security architecture does not require ANY inbound ports to be open to managed machines. If you manage machines which are not protected by firewalls I would recommend you uninstall VNC after each time you use it. The Uninstall RC function in the VSA will silently remove it from the machine, and it will get silently installed again the next time you initiate a connection.


    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: dwalsh