SecurityTracker.com Archives - PalmVNC Discloses VNC Server Usernames and Passwords to Local Users

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > PalmVNC

Vendors: Harakan Software

PalmVNC Discloses VNC Server Usernames and Passwords to Local Users

SecurityTracker Alert ID: 1006855

CVE Reference: CAN-2003-0406 (Links to External Site)

Updated: Jan 21 2004

Original Entry Date: May 27 2003

Impact: Disclosure of authentication information

Exploit Included: Yes

Version(s): 1.40 and possibly earlier versions

Description: A vulnerability was reported in PalmVNC. A local user can obtain VNC usernames and passwords.

Flurnet Security reported that PalmVNC saves passwords in plaintext form in the 'PalmVNCDB' database with creator ID 'PVNC/Data'. The affected database is reportedly configured with the 'backup bit' and, therefore, is copied to the Palm directory on the user's computer as filename PalmVNCDB.PDB during synchronization. A local user on either the Palm device or the user's computer can view the VNC server username and password.

Impact: A local user on the Palm device or the user's computer can obtain VNC server usernames and passwords.

Solution: No solution was available at the time of this entry.

The author of the report recommends that, as a workaround, you do not save the passwords and that you unset the backup bit on PalmVNCDB (2 attribute bytes in the PDB header after 32 byte null terminated name. Unset 0x0008.)

Vendor URL: www.harakan.btinternet.co.uk/PalmVNC/ (Links to External Site)

Cause: Access control error

Underlying OS: PalmOS

Reported By: flur <flur@flurnet.org>

Message History: None.

Source Message Contents

Date: Mon, 26 May 2003 15:17:35 -0400
From: flur <flur@flurnet.org>
Subject: PalmVNC 1.40 Insecure Records

 

Flurnet Security
----------------

Application:    PalmVNC 1.40
Developer(s):   Harkan Software (http://www.harakan.btinternet.co.uk/PalmVNC/)
                 Vladimir Minenko (http://www.wind-networks.de/PalmVNC/)
Scope:          VNC passwords saved in plaintext with backup bit.
Tested on:      PalmVNC 1.40 (older versions probably vulnerable)

PalmVNC saves passwords in plaintext, relying on the fact that PalmOS is 
hard to navigate, and thus finding the corresponding records would be 
relatively difficult. This is not the case. VNC stores saved passwords in a 
database called:

PalmVNCDB with creator ID: PVNC/Data.

To make matters worse, this database is configured with the 'backup bit' 
and thus it is copied into the users directory on any PC that the palm 
synchronizes with (filename: PalmVNCDB.PDB).

The PalmVNCDB database contains record #0 (4bytes- nothing interesting) 
followed by records for each saved server profile. These profile records 
are typically 172 bytes long and contain VNC server ip or hostname, 
username and password in plaintext.

Suggested solutions:
  - Encrypt this database and code client support.
  - If it is critical that PalmVNC is used, it is not recommended that 
passwords be saved.
  - Unset the backup bit on PalmVNCDB
    (2 attribute bytes in the PDB header after 32 byte null terminated 
name. Unset 0x0008.)



____________________ __ _
~FluRDoInG                        flur@flurnet.org
                             http://www.flurnet.org
KEY ID 0x8C2C37C4 (pgp.mit.edu) RSA-CAST 2048/2048
1876 B762 F909 91EB 0C02  C06B 83FF E6C5 8C2C 37C4

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2004, SecurityGlobal.net LLC