Help save net neutrality! Learn more.
Close

#36 libvncserver 0.9.7 password length bug

closed-fixed
nobody
None
5
2012-08-19
2010-12-22
Anonymous
No

In libvncserver-0.9.7, when using rfbScreen->passwordCheck = rfbCheckPasswordByList, a password that is longer than the real password can be entered and as long as it starts with the original password it is accepted. This is also true when using a custom passwordCheck and rfbEncryptBytes.

Example:

Answer = password
Guess = password
ACCEPTED

Answer = password
Guess = passwor
DENIED

Answer = password
Guess = passwordsjg923trin8yrcgnubxyqweqe9qw87e9r8
ACCEPTED

Brandon Holland
http://brandon-holland.com

Discussion

  • Karl J. Runge

    Karl J. Runge - 2011-01-02

    Hi,

    The RFB protocol http://www.realvnc.com/docs/rfbproto.pdf specifies that DES will be used to encrypt the 16 challenge bytes with the user password as the key. Since a DES key can't be more than 8 bytes, only the first 8 bytes of the password are used (and if the password is shorter than 8 bytes DES pads the key out to 8 using null bytes.)

    I believe this is the expected behavior when using DES to encrypt. I even think Unix passwords had this same deficiency untl MD5 hashes began being used (not exactly sure.) rfbEncryptBytes() is the DES wrapper.

    The behavior in libvncserver is the same as the other VNC implementations have had for over 10-15 years.

    When you say 'Guess =' above, is that what you type into a vncviewer? If so, then it sounds like the viewer is the one truncating the password to the first 8 bytes to seed DES (and that is what it should do.)

     
  • Nobody/Anonymous

    Hi,

    Yeah "Guess" is was an attempt at logging in with a viewer. Cool, I wasn't sure if that was the expected behavior or not.

    Thanks,

    Brandon Holland
    http://brandon-holland.com

     
  • Christian Beier

    Christian Beier - 2012-08-19
    • status: open --> closed-fixed