Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://twitter.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

security question

Post Reply
Nummi
Posts: 2
Joined: 2006-12-20 23:42

security question

Post by Nummi »

Lets assume I can set up UltraVNC and the ARC4 Plugin correctly, then open the ports on my router correctly, then get it all working correctly. Then, I leave the server running (with the ARC4 working and ports open) with UltraVNC waiting for a connection. My question is: can someone else gain access without the ARC4 key? And what if the ARC4 is not working, can someone gain access (assuming they can guess the UltraVNC password?
redge
1000
1000
Posts: 6797
Joined: 2004-07-03 17:05
Location: Switzerland - Geneva

Re: security question

Post by redge »

vncviewer without plugin he can reach the server with arc4plugin but fail to authenticate.

if vnc server crash for any reason, I'm not sure if there a security issue.
but as my knowledge, unpossible to reach the vnc server until restart and it auto restart with dsmplugin arc4plugin.
UltraVNC 1.0.9.6.1 (built 20110518)
OS Win: xp home + vista business + 7 home
only experienced user, not developer
UltraSam
Admin & Developer
Admin & Developer
Posts: 462
Joined: 2004-04-26 20:55
Contact:

Re: security question

Post by UltraSam »

If the viewer has not the good ARC4 key file, he just can't even start the handshaking process (RFB protocole version and so on) before the authentication process itself (VNC password).

The data is encrypted from the very first bytes. If the Viewer can't correctly encrypt these bytes with the same key than the server, they can't understand each other and the connection is immediatly dropped, even before the server to ask for the password.
UltraSam
Post Reply