Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://twitter.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

UltraVNC 1.2.0.3 (Security update) - Download links

Post Reply
Nick_od
40
40
Posts: 80
Joined: 2013-09-04 06:42

Re: 1.2.0.3 ( Security update)

Post by Nick_od »

good afternoon.
found error.
system windows xp 32 bit winvnc.exe (v1_2_03)
"SecureVNCPlugin.dsm" when you press the button "Config."
then change the password - the password is not possible to change
set up a new password does not save

in version winvnc.ehe (v1_2_02) to save your password is working properly
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6832
Joined: 2004-04-23 10:21
Contact:

Re: 1.2.0.3 ( Security update)

Post by Rudi De Vos »

This part needed to be changed to fix the exploit.
The config is now started as desktop user...

*This don't work for domain admins, a service can not impersonate the desktop user

1)logon as local admin
or
2)Use uvnc_settings.exe to make the changes.

Service and change settings via the tray should be removed in the future to force people
to use the sapereate app for it. Sorry
Nick_od
40
40
Posts: 80
Joined: 2013-09-04 06:42

Re: 1.2.0.3 ( Security update)

Post by Nick_od »

Rudi De Vos wrote:1)logon as local admin
or
2)Use uvnc_settings.exe to make the changes.
password is not changed
tried the first and second option
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6832
Joined: 2004-04-23 10:21
Contact:

Re: 1.2.0.3 ( Security update)

Post by Rudi De Vos »

Correct, seems i missed the return info from the plugin config... passphraze is not saved.
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6832
Joined: 2004-04-23 10:21
Contact:

Re: 1.2.0.3 ( Security update)

Post by Rudi De Vos »

reuploaded files with fixed config savings
SiUK
Posts: 1
Joined: 2014-10-02 10:59

Re: 1.2.0.3 ( Security update)

Post by SiUK »

Many thanks for updating the software and resolving the security bug. Is there a .MSI version of the installer or is that coming soon?

Thanks,
Si.
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6832
Joined: 2004-04-23 10:21
Contact:

Re: 1.2.0.3 ( Security update)

Post by Rudi De Vos »

Not yet, we made 1.2.0.3 available as soon as possible.
Msi still need to be created
Nick_od
40
40
Posts: 80
Joined: 2013-09-04 06:42

Re: 1.2.0.3 ( Security update)

Post by Nick_od »

Rudi De Vos wrote:reuploaded files with fixed config savings
Hi
A new version i checked
system windows xp 32 bit winvnc.exe (v1_2_03 new)
"SecureVNCPlugin.dsm" when you press the button "Config."
then change the password - the password is change
but if I connect at the password prompt I can hit only 8 characters
(if the password is longer than I can enter 8 characters and log in)
system windows xp 32 bit vncviewer.exe (v1_2_03 new)


A new version i checked uvnc_settings.exe (v1_2_03 new)
"SecureVNCPlugin.dsm" when you press the button "Config."
the password is change and all work fine
(if I connect at the password prompt I can hit more 8 characters and all work fine)
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6832
Joined: 2004-04-23 10:21
Contact:

Re: 1.2.0.3 ( Security update)

Post by Rudi De Vos »

I tried to repeat it without luck

1) removed ultravnc.ini
2) started winvnc.exe (app)
3) In the properties window i set passwd, select use dsm plugin and press config
4) save passwd in config
ultravnc.ini is cerated with a single line that indicate the saved options

Code: Select all

[admin]
DSMPluginConfig=SecureVNC;0;0x00104001;123456789==
5)press OK in properties dialog
Now all the other options in ultravnc.ini are set

When i connect the viewer ( selecting plugin) i have >8 chars and the window indicate

Code: Select all

passwd requested
AES-256....
All is in the ultravnc.ini, do you see a difference between the uvnc_settings saved versiona and the
version created with the tray icon.
Nick_od
40
40
Posts: 80
Joined: 2013-09-04 06:42

Re: 1.2.0.3 ( Security update)

Post by Nick_od »

Rudi De Vos wrote:2) started winvnc.exe (app)
You need start winvnc.exe as service
then in the tray select (admin properties) then SecureVNCPlugin.dsm (Config.)
AES(128.....
256 bit
RSA-2048
(use new key algorithm.....)
Passphrase: enter password 9 chars
Confirm: enter password 9 chars
save this
then When you connect the viewer (selecting plugin)
password prompt
you can not enter >8 chars
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6832
Joined: 2004-04-23 10:21
Contact:

Re: 1.2.0.3 ( Security update)

Post by Rudi De Vos »

You need start winvnc.exe as service
then in the tray select (admin properties) then SecureVNCPlugin.dsm (Config.)
...
Confirm: enter password 9 chars
save this
Please press config again... is the value realy saved... do you see the extra line

Code: Select all

DSMPluginConfig=SecureVNC;0;0x00104001;123456789==
in the ultravnc.ini

When i'm correct, the problem is that running as service we use the credentials of the current desktop user.
1) We need to get the credentials... this fail for domain users
2) The desktop user need to be admin or he can not save ultravnc.ini

If value is not saved in ini, then winvnc ask the default vnc passwd that's 8 chars.

As we can not bypass 1) and 2) we
need to add some extra check... that popup when desktop user can not be impersonate.
And guide the users to use the uvnc_settings.exe.
Nick_od
40
40
Posts: 80
Joined: 2013-09-04 06:42

Re: 1.2.0.3 ( Security update)

Post by Nick_od »

after save (uvnc_settings.exe)
DSMPluginConfig=SecureVNC;0;0x00104001;MTIzNDU2Nzg5 (123456789)

after
then in the tray select (admin properties) then SecureVNCPlugin.dsm (Config.)
Confirm: enter password 9 chars (123456789)
save and open (ultravnc.ini)
DSMPlugin=SecureVNCPlugin.dsm (empty)
no password
why is this happening?
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6832
Joined: 2004-04-23 10:21
Contact:

Re: 1.2.0.3 ( Security update)

Post by Rudi De Vos »

Desktop user permission

The dsm config run as impersonated desktop user, 2 possible reasons
1° User can nor save
2° User can not be imperonate ( domain users can not be impersonate by local service)
Kirck
20
20
Posts: 54
Joined: 2005-06-16 08:41

Re: 1.2.0.3 ( Security update)

Post by Kirck »

Vnc session hangs up when I type "\" char inside a textbox or in explorer's address bar in remote session.
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6832
Joined: 2004-04-23 10:21
Contact:

Re: 1.2.0.3 ( Security update)

Post by Rudi De Vos »

Please verify if this is fixed in
viewtopic.php?t=31133
Post Reply