Nmap realvnc-auth-bypass NSE Script

Script Overview

---

Script source code: https://github.com/nmap/nmap/tree/master/scripts/realvnc-auth-bypass.nse
Script categories: auth, safe, vuln
Target service / protocol: vnc
Target network port(s): 5900, 5901, 5902
List of CVEs: CVE-2006-2369

Script Description

---

The realvnc-auth-bypass.nse script checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).

Realvnc-auth-bypass NSE Script Arguments

---

This is a full list of arguments supported by the realvnc-auth-bypass.nse script:

vulns.short

If set, vulnerabilities will be output in short format, a single line consisting of the host's target name or IP, the state, and either the CVE ID or the title of the vulnerability. Does not affect XML output.

vulns.showall

If set, the library will show and report all the registered vulnerabilities which includes the NOT VULNERABLE ones. By default the library will only report the VULNERABLE entries: VULNERABLE, LIKELY VULNERABLE, VULNERABLE (DoS) and VULNERABLE (Exploitable). This argument affects the following functions: vulns.Report.make_output(): the default output function for portule/hostrule scripts. vulns.make_output(): the default output function for postrule scripts. vulns.format_vuln() and vulns.format_vuln_table() functions.

- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..] syntax. For example:

nmap --script=realvnc-auth-bypass --script-args vulns.short=value,vulns.showall=value <target>

Realvnc-auth-bypass NSE Script Example Usage

---

Here's an example of how to use the realvnc-auth-bypass.nse script:

nmap --script=realvnc-auth-bypass <target>

Realvnc-auth-bypass NSE Script Example Output

---

Here's a sample output from the realvnc-auth-bypass.nse script:

PORT     STATE SERVICE VERSION
5900/tcp open  vnc     VNC (protocol 3.8)
| realvnc-auth-bypass:
|   VULNERABLE:
|   RealVNC 4.1.0 - 4.1.1 Authentication Bypass
|     State: VULNERABLE
|     IDs:  CVE:CVE-2006-2369
|     Risk factor: High  CVSSv2: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
|       RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and
|       Cisco CallManager, allows remote attackers to bypass authentication via a
|       request in which the client specifies an insecure security type such as
|       "Type 1 - None", which is accepted even if it is not offered by the server.
|     Disclosure date: 2006-05-08
|     References:
|       http://www.intelliadmin.com/index.php/2006/05/security-flaw-in-realvnc-411/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2369

Realvnc-auth-bypass NSE Script Example XML Output

---

There is no sample XML output for this module. However, by providing the -oX <file> option, Nmap will produce a XML output and save it in the file.xml file.

Author

---

• Brandon Enright

References

---

• https://nmap.org/nsedoc/scripts/realvnc-auth-bypass.html
• https://github.com/nmap/nmap/tree/master/scripts/realvnc-auth-bypass.nse
• http://www.intelliadmin.com/index.php/2006/05/security-flaw-in-realvnc-411/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2369

See Also

---

Visit Nmap NSE Library for more scripts.