1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=9"/>
<meta name="generator" content="Doxygen 1.8.13"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<title>Remmina - The GTK+ Remote Desktop Client: Authentication</title>
<link href="tabs.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="jquery.js"></script>
<script type="text/javascript" src="dynsections.js"></script>
<link href="navtree.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="resize.js"></script>
<script type="text/javascript" src="navtreedata.js"></script>
<script type="text/javascript" src="navtree.js"></script>
<script type="text/javascript">
$(document).ready(initResizable);
</script>
<link href="search/search.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="search/searchdata.js"></script>
<script type="text/javascript" src="search/search.js"></script>
<link href="doxygen.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
<div id="titlearea">
<table cellspacing="0" cellpadding="0">
<tbody>
<tr style="height: 56px;">
<td id="projectlogo"><img alt="Logo" src="org.remmina.Remmina.png"/></td>
<td id="projectalign" style="padding-left: 0.5em;">
<div id="projectname">Remmina - The GTK+ Remote Desktop Client
 <span id="projectnumber">v1.4.33</span>
</div>
<div id="projectbrief">Remmina is a remote desktop client written in GTK+, aiming to be useful for system administrators and travellers, who need to work with lots of remote computers in front of either large monitors or tiny netbooks. Remmina supports multiple network protocols in an integrated and consistent user interface. Currently RDP, VNC, NX, XDMCP and SSH are supported.</div>
</td>
</tr>
</tbody>
</table>
</div>
<!-- end header part -->
<!-- Generated by Doxygen 1.8.13 -->
<script type="text/javascript">
var searchBox = new SearchBox("searchBox", "search",false,'Search');
</script>
<script type="text/javascript" src="menudata.js"></script>
<script type="text/javascript" src="menu.js"></script>
<script type="text/javascript">
$(function() {
initMenu('',true,false,'search.php','Search');
$(document).ready(function() { init_search(); });
});
</script>
<div id="main-nav"></div>
</div><!-- top -->
<div id="side-nav" class="ui-resizable side-nav-resizable">
<div id="nav-tree">
<div id="nav-tree-contents">
<div id="nav-sync" class="sync"></div>
</div>
</div>
<div id="splitbar" style="-moz-user-select:none;"
class="ui-resizable-handle">
</div>
</div>
<script type="text/javascript">
$(document).ready(function(){initNavTree('md__builds__remmina_remmina-ci__remmina_8wiki__problems-and-tweaks__apple-_v_n_c-protocol-notes.html','');});
</script>
<div id="doc-content">
<!-- window showing the filter options -->
<div id="MSearchSelectWindow"
onmouseover="return searchBox.OnSearchSelectShow()"
onmouseout="return searchBox.OnSearchSelectHide()"
onkeydown="return searchBox.OnSearchSelectKey(event)">
</div>
<!-- iframe showing the search results (closed by default) -->
<div id="MSearchResultsWindow">
<iframe src="javascript:void(0)" frameborder="0"
name="MSearchResults" id="MSearchResults">
</iframe>
</div>
<div class="header">
<div class="headertitle">
<div class="title">Authentication </div> </div>
</div><!--header-->
<div class="contents">
<div class="textblock"><p>See #246</p>
<p>commented:</p>
<p>I know this bug is closed, but I wanted to share my own meagre findings for posterity.</p>
<p>Mac's built-in VNC viewer (Cmd+K in Finder) supports the following auth types, listed in its own preference order: 33, 36, 30. As previously noted, Remmina has partial support for the '30' auth type.</p>
<p>On the '30' auth type: Mac's VNC client sends a ClientInit message with its shared flag set to 0x1C. In response, the server modifies its ServerInit message to include non-textual information at the start of the 'name' string. There follows an exchange of unencrypted packets which I suppose is related to a more secure crypto setup (not using ECB/MD5?). From that point forward, the client appears to send only encrypted data, with an unencrypted 2-byte header. The server continues to send unencrypted framebuffer updates. I suspect it sends clipboard updates as encrypted messages, but I haven't confirmed this. The encrypted messages begin '0x00 0xYY', where YY is some nonzero number; from this I suppose they can be distinguished from RFB-compliant SetPixelFormat and FramebufferUpdate packets, which always have their second byte set to 0x00.</p>
<p>With some experimentation (and perhaps a bit of binary analysis) I think a sufficiently dedicated Remmina contributor could work out the details of this protocol. The first trick is to write a little VNC proxy that forces a Mac client to use the '30' auth type when connecting to a Mac server.</p>
<p>On the '33' auth type (currently preferred by Mac's VNC viewer):</p>
<p>Seems to have been implemented in Apple Remote Desktop 3.9 in response to CVE-2017-488. Apple mention that it uses the Secure Remote Password algorithm and 2048 bit RSA keys Apple uses SRP in at least a couple of other places: iCloud storage and HomeKit Accessory Protocol. The implementations may be similar. Here are my notes on the auth type 33 packet formats:</p>
<div class="fragment"><div class="line">C -> S:</div><div class="line"> 4 bytes: packet length</div><div class="line"> 2 bytes: version?</div><div class="line"> 4 bytes: algorithm? ('RSA1' ascii)</div><div class="line"> 4 bytes: ????</div><div class="line"></div><div class="line">S -> C:</div><div class="line"> 4 bytes: packet length</div><div class="line"> 2 bytes: ???</div><div class="line"> ... bytes: ASN.1 data (server public key?)</div><div class="line"> 1 bytes: ???</div><div class="line"></div><div class="line">C -> S:</div><div class="line"> 4 bytes: packet length</div><div class="line"> 2 bytes: ???</div><div class="line"> 4 bytes: algorithm? ('RSA1' ascii)</div><div class="line"> 2 bytes: ???</div><div class="line"> 2 bytes: key length? (256)</div><div class="line"> 256 bytes: ???</div><div class="line"> 128 bytes: ??? (all zero)</div><div class="line"> 256 bytes: ???</div></div><!-- fragment --><p>I doubt it's possible to get much further with implementing auth type '33' without some skilful reverse-engineering of Apple binaries, which is beyond my present abilities.</p>
<p>I didn't look much at auth type '36' except to note that in debugging messages from Mac's 'Console' app, it appears to use SRP, like '33'.</p>
<p>Hello to any future programmers finding this bug through a search engine! Apple's developer documentations fucking sucks eh? </p>
</div></div><!-- contents -->
</div><!-- doc-content -->
<!-- start footer part -->
<div id="nav-path" class="navpath"><!-- id is needed for treeview function! -->
<ul>
<li class="footer">Generated by
<a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.8.13 </li>
</ul>
</div>
</body>
</html>
|
