1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=9"/>
<meta name="generator" content="Doxygen 1.8.13"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<title>Remmina - The GTK+ Remote Desktop Client: Apple-VNC-protocol-notes.md Source File</title>
<link href="tabs.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="jquery.js"></script>
<script type="text/javascript" src="dynsections.js"></script>
<link href="navtree.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="resize.js"></script>
<script type="text/javascript" src="navtreedata.js"></script>
<script type="text/javascript" src="navtree.js"></script>
<script type="text/javascript">
$(document).ready(initResizable);
</script>
<link href="search/search.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="search/searchdata.js"></script>
<script type="text/javascript" src="search/search.js"></script>
<link href="doxygen.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
<div id="titlearea">
<table cellspacing="0" cellpadding="0">
<tbody>
<tr style="height: 56px;">
<td id="projectlogo"><img alt="Logo" src="org.remmina.Remmina.png"/></td>
<td id="projectalign" style="padding-left: 0.5em;">
<div id="projectname">Remmina - The GTK+ Remote Desktop Client
 <span id="projectnumber">v1.4.33</span>
</div>
<div id="projectbrief">Remmina is a remote desktop client written in GTK+, aiming to be useful for system administrators and travellers, who need to work with lots of remote computers in front of either large monitors or tiny netbooks. Remmina supports multiple network protocols in an integrated and consistent user interface. Currently RDP, VNC, NX, XDMCP and SSH are supported.</div>
</td>
</tr>
</tbody>
</table>
</div>
<!-- end header part -->
<!-- Generated by Doxygen 1.8.13 -->
<script type="text/javascript">
var searchBox = new SearchBox("searchBox", "search",false,'Search');
</script>
<script type="text/javascript" src="menudata.js"></script>
<script type="text/javascript" src="menu.js"></script>
<script type="text/javascript">
$(function() {
initMenu('',true,false,'search.php','Search');
$(document).ready(function() { init_search(); });
});
</script>
<div id="main-nav"></div>
</div><!-- top -->
<div id="side-nav" class="ui-resizable side-nav-resizable">
<div id="nav-tree">
<div id="nav-tree-contents">
<div id="nav-sync" class="sync"></div>
</div>
</div>
<div id="splitbar" style="-moz-user-select:none;"
class="ui-resizable-handle">
</div>
</div>
<script type="text/javascript">
$(document).ready(function(){initNavTree('_apple-_v_n_c-protocol-notes_8md.html','');});
</script>
<div id="doc-content">
<!-- window showing the filter options -->
<div id="MSearchSelectWindow"
onmouseover="return searchBox.OnSearchSelectShow()"
onmouseout="return searchBox.OnSearchSelectHide()"
onkeydown="return searchBox.OnSearchSelectKey(event)">
</div>
<!-- iframe showing the search results (closed by default) -->
<div id="MSearchResultsWindow">
<iframe src="javascript:void(0)" frameborder="0"
name="MSearchResults" id="MSearchResults">
</iframe>
</div>
<div class="header">
<div class="headertitle">
<div class="title">Apple-VNC-protocol-notes.md</div> </div>
</div><!--header-->
<div class="contents">
<a href="_apple-_v_n_c-protocol-notes_8md.html">Go to the documentation of this file.</a><div class="fragment"><div class="line"><a name="l00001"></a><span class="lineno"> 1</span> ## Authentication</div><div class="line"><a name="l00002"></a><span class="lineno"> 2</span> </div><div class="line"><a name="l00003"></a><span class="lineno"> 3</span> See #246</div><div class="line"><a name="l00004"></a><span class="lineno"> 4</span> </div><div class="line"><a name="l00005"></a><span class="lineno"> 5</span> @barneygale commented:</div><div class="line"><a name="l00006"></a><span class="lineno"> 6</span> </div><div class="line"><a name="l00007"></a><span class="lineno"> 7</span> I know this bug is closed, but I wanted to share my own meagre findings for posterity.</div><div class="line"><a name="l00008"></a><span class="lineno"> 8</span> </div><div class="line"><a name="l00009"></a><span class="lineno"> 9</span> Mac's built-in VNC viewer (Cmd+K in Finder) supports the following auth types, listed in its own preference order: 33, 36, 30. As previously noted, Remmina has partial support for the '30' auth type.</div><div class="line"><a name="l00010"></a><span class="lineno"> 10</span> </div><div class="line"><a name="l00011"></a><span class="lineno"> 11</span> On the '30' auth type: Mac's VNC client sends a ClientInit message with its shared flag set to 0x1C. In response, the server modifies its ServerInit message to include non-textual information at the start of the 'name' string. There follows an exchange of unencrypted packets which I suppose is related to a more secure crypto setup (not using ECB/MD5?). From that point forward, the client appears to send only encrypted data, with an unencrypted 2-byte header. The server continues to send unencrypted framebuffer updates. I suspect it sends clipboard updates as encrypted messages, but I haven't confirmed this. The encrypted messages begin '0x00 0xYY', where YY is some nonzero number; from this I suppose they can be distinguished from RFB-compliant SetPixelFormat and FramebufferUpdate packets, which always have their second byte set to 0x00.</div><div class="line"><a name="l00012"></a><span class="lineno"> 12</span> </div><div class="line"><a name="l00013"></a><span class="lineno"> 13</span> With some experimentation (and perhaps a bit of binary analysis) I think a sufficiently dedicated Remmina contributor could work out the details of this protocol. The first trick is to write a little VNC proxy that forces a Mac client to use the '30' auth type when connecting to a Mac server.</div><div class="line"><a name="l00014"></a><span class="lineno"> 14</span> </div><div class="line"><a name="l00015"></a><span class="lineno"> 15</span> On the '33' auth type (currently preferred by Mac's VNC viewer):</div><div class="line"><a name="l00016"></a><span class="lineno"> 16</span> </div><div class="line"><a name="l00017"></a><span class="lineno"> 17</span> Seems to have been implemented in Apple Remote Desktop 3.9 in response to CVE-2017-488.</div><div class="line"><a name="l00018"></a><span class="lineno"> 18</span> Apple mention that it uses the Secure Remote Password algorithm and 2048 bit RSA keys</div><div class="line"><a name="l00019"></a><span class="lineno"> 19</span> Apple uses SRP in at least a couple of other places: iCloud storage and HomeKit Accessory Protocol. The implementations may be similar.</div><div class="line"><a name="l00020"></a><span class="lineno"> 20</span> Here are my notes on the auth type 33 packet formats:</div><div class="line"><a name="l00021"></a><span class="lineno"> 21</span> </div><div class="line"><a name="l00022"></a><span class="lineno"> 22</span> ```</div><div class="line"><a name="l00023"></a><span class="lineno"> 23</span> C -> S:</div><div class="line"><a name="l00024"></a><span class="lineno"> 24</span>  4 bytes: packet length</div><div class="line"><a name="l00025"></a><span class="lineno"> 25</span>  2 bytes: version?</div><div class="line"><a name="l00026"></a><span class="lineno"> 26</span>  4 bytes: algorithm? ('RSA1' ascii)</div><div class="line"><a name="l00027"></a><span class="lineno"> 27</span>  4 bytes: ????</div><div class="line"><a name="l00028"></a><span class="lineno"> 28</span> </div><div class="line"><a name="l00029"></a><span class="lineno"> 29</span> S -> C:</div><div class="line"><a name="l00030"></a><span class="lineno"> 30</span>  4 bytes: packet length</div><div class="line"><a name="l00031"></a><span class="lineno"> 31</span>  2 bytes: ???</div><div class="line"><a name="l00032"></a><span class="lineno"> 32</span>  ... bytes: ASN.1 data (server public key?)</div><div class="line"><a name="l00033"></a><span class="lineno"> 33</span>  1 bytes: ???</div><div class="line"><a name="l00034"></a><span class="lineno"> 34</span> </div><div class="line"><a name="l00035"></a><span class="lineno"> 35</span> C -> S:</div><div class="line"><a name="l00036"></a><span class="lineno"> 36</span>  4 bytes: packet length</div><div class="line"><a name="l00037"></a><span class="lineno"> 37</span>  2 bytes: ???</div><div class="line"><a name="l00038"></a><span class="lineno"> 38</span>  4 bytes: algorithm? ('RSA1' ascii)</div><div class="line"><a name="l00039"></a><span class="lineno"> 39</span>  2 bytes: ???</div><div class="line"><a name="l00040"></a><span class="lineno"> 40</span>  2 bytes: key length? (256)</div><div class="line"><a name="l00041"></a><span class="lineno"> 41</span>  256 bytes: ???</div><div class="line"><a name="l00042"></a><span class="lineno"> 42</span>  128 bytes: ??? (all zero)</div><div class="line"><a name="l00043"></a><span class="lineno"> 43</span>  256 bytes: ???</div><div class="line"><a name="l00044"></a><span class="lineno"> 44</span> ```</div><div class="line"><a name="l00045"></a><span class="lineno"> 45</span> </div><div class="line"><a name="l00046"></a><span class="lineno"> 46</span> I doubt it's possible to get much further with implementing auth type '33' without some skilful reverse-engineering of Apple binaries, which is beyond my present abilities.</div><div class="line"><a name="l00047"></a><span class="lineno"> 47</span> </div><div class="line"><a name="l00048"></a><span class="lineno"> 48</span> I didn't look much at auth type '36' except to note that in debugging messages from Mac's 'Console' app, it appears to use SRP, like '33'.</div><div class="line"><a name="l00049"></a><span class="lineno"> 49</span> </div><div class="line"><a name="l00050"></a><span class="lineno"> 50</span> Hello to any future programmers finding this bug through a search engine! Apple's developer documentations fucking sucks eh?</div><div class="line"><a name="l00051"></a><span class="lineno"> 51</span> </div></div><!-- fragment --></div><!-- contents -->
</div><!-- doc-content -->
<!-- start footer part -->
<div id="nav-path" class="navpath"><!-- id is needed for treeview function! -->
<ul>
<li class="navelem"><a class="el" href="_apple-_v_n_c-protocol-notes_8md.html">Apple-VNC-protocol-notes.md</a></li>
<li class="footer">Generated by
<a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.8.13 </li>
</ul>
</div>
</body>
</html>
|
