In-game VNC hacking in The Peacenet - A Feature Proposal

Posted by Administrator.

Hey there everyone! I was looking at VNC a few minutes ago so I could put a desktop environment on my VPS and use it to develop things on Linux remotely. One of my concerns was that, a few years ago, I had a VNC server set up for that very purpose and it got hacked. The hack, because I hadn't logged out of Xfce4, resulted in my Discord account being hijacked at the same time.

What was the hack?

It was caused by the fact that VNC, by design, limits your password to 8 ASCII characters.. From my few minutes of research, let me explain why this is the case.

First, what the hell is "VNC?"

VNC stands for "Virtual Network Computing." It's a remote desktop protocol, like the one built into Windows, except it's for Linux. It's also old and insecure. Like I said, your passwords are limited to 8 ASCII characters, and the connection between you and the server is unencrypted. This isn't the case with Remote Desktop Protocol in Windows or SSH on Unix systems.

So how's the authentication work?

From my understanding, here's how it works.

  1. The server sends you a 16-byte challenge when you connect.
  2. The client encrypts this challenge using DES encryption, using a password you enter as the key.
  3. The resulting 16-byte encrypted data is sent back to the server.
  4. The server, knowing the correct password, checks the encryption result to see if it matches what the server expects.
  5. If it matches, access granted.

Where's the vulnerability?

The vulnerability is in Step 2 - the encryption algorithm used. The password is used as the key for a DES encryption challenge. DES keys are limited to 56 bits + 8 parity bits. This means, your password is limited to being 7 bytes long.

But how do you fit 8 characters in 7 bytes? Easy. ASCII. All ASCII characters are 7 bits long, and the 8th bit in each ASCII character is completely ignored by the VNC client. So your password can only be 8 ASCII characters long. Anything less and the client pads it out with zeroes.

The way my VNC server got hacked was because the person knew my password. I made the stupid mistake of using a form of one of my leaked passwords. This made it way easier for the hacker to get in. Moreover they had a motivation - I was developing ShiftOS and they wanted me to know how they felt about it. What better way than to waltz their way in through an insecure remote desktop protocol and have the ability to do whatever they want on my server? Bonus points if they can get my Discord account and send messages as if they're me right on the server. Which they did do.

Had they not already had a clue of my password, it would still not be much harder to brute-force. Computers are very fast today, even fast at encryption. If I wanted to I could write a C++ program that implements DES encryption and goes through every possible key encrypting a 16-byte buffer and tell you how long it takes to encrypt every possible combination of every ASCII character. No need to do that though. There's a nice website that tells you how long it'd take to brute-force a password you enter. Try entering your password in and see what it says.

If I enter my VNC password in, it says an average desktop computer would take 4 weeks (1 month) to brute-force that password. That's assuming we're talking about an average desktop and not something purpose-built for these types of things, like perhaps a Bitcoin miner, that lives and breathes by solving these encryption puzzles.

So yeah, that's a nasty little vulnerability, isn't it?

What's it have to do with Peacenet?

Core gameplay, actually. I have a proposal. Since VNC's standard authentication proves very insecure, why not make an in-game version of VNC with this same vulnerability?

Here are my ideas for it.

  • It's a basic exploit - meaning you learn it at the beginning of the game.
  • It can be used to hack personal Peacegate OS instances - giving you remote desktop access to them.
  • It CANNOT be used to hack enterprise systems.
  • Personal systems have this vulnerability by Peacenet's design. How else would you be able to interact with your own in-game desktop?

As this exploit IS based on brute-force, it doesn't offer much of a challenge to you, the player. However, it can take advantage of the Rainbow Table system in the game, which will speed up hacking an in-game VNC server as you progress through the game. There's only so many combinations of an 8-character ASCII password.

With some work, I can get this into the alpha. It'll be a nice feature in my opinion, and it'll open up a lot of possibilities in the realm of non-enterprise hacking in the game. Keep in mind that enterprises aren't coming until beta, and they're the game's form of boss battles. So they'll be much harder to hack.