UltraVNC w/ DSM Plugin Detection

This script is Copyright (C) 2005-2013 Tenable Network Security, Inc.


Synopsis :

A remote control service is running on this port.

Description :

UltraVNC seems to be running on the remote port.

Upon connection, the remote service on this port always sends the same
12 pseudo-random bytes.

It is probably UltraVNC with the old DSM encryption plugin. This
plugin tunnels the RFB protocol into a RC4-encrypted stream.

This old protocol does not use a random IV so the RC4 pseudo random
flow is reused from one session to another. An authenticated user
could leverage this issue to decrypt other users' sessions.

Solution :

If this service is not needed, disable it or filter incoming traffic
to this port. Otherwise, upgrade UltraVNC and use one of the new and
safer plugins which implement a random IV.

Risk factor :

Medium / CVSS Base Score : 4.0
(CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N)

Family: Service detection

Nessus Plugin ID: 19289 ()

Bugtraq ID:

CVE ID: