So, you have a computer on the network and you want virtual terminal access. You install RealVNC and, blammo! Compromised by a bot trolling the net.

No, I’m not kidding. Bascially the RealVNC 4.1.1 server responds to a request for access without verifying valid options. In other words, if you send it a “let me in without a password” even if it never suggested that was available to you, it still lets you in without a password.

This is like a hotel clerk saying “Welcome to Chez VNC, we have a room for you on the 1st floor with a view of the parking lot” and you say “Thanks, I’d be happy to take that penthouse on floor 29 with a view of the bay” and that’s it, you’re in the penthouse without needing to know the manager or having some other special credentials.

Evil exploit bots love this sort of thing, for obvious reasons; they can just scan blocks of IPs and then take over any vulnerable service they find. The bottom line is you really should not run virtual terminal connections without using some other authentication system (beyond the password) and/or a secure tunnel/wrapper like SSH. This has always been a best practice, but now you have a critical vulnerability to add some spice.

And that’s not even the end of the story. James Evans wrote a rather blunt explanation of a related issue on the full-disclosure list:

RealVNC is distributed under the GNU General Public License. As such, the complete source code of RealVNC *must* be freely distributed. When RealVNC (the company) received notice of this flaw in their software, they were quite prompt in patching it. Such action is normally worthy of praise. Yet, in this case, RealVNC immediately took down the source code to their software. While this was probably done out of fear rather than malice, I believe it violates both the spirit and law of the GNU GPL. As we can see from the above, it is also not beneficial to security. I was able to rediscover this flaw using only binaries, and a little thought. Allowing for the benefit of doubt, I posted to the RealVNC mailing list, congratulating them on patching the bug so quickly and asking when the source code would be released. I received one reply from another user, agreeing that he would like to see the source, as it is under GPL. Upon returning the next day to check if there were any more replies, I was surprised to see the entire mailing list was deleted along with its archives. This is unfortunate, and it clearly neither prevents discussion nor promotes security.

Ouch. The source reportedly was back online by the next day…