thin vnc bypass

ThinVNC is a pure web Remote Access implementation (HTML5 & AJAX based) client that works on any HTML5-compliant browser such as Chrome, Firefox, Safari, Opera, IE or Edge.

With this client you can access your desktop files remotely (even from mobile devices) and work as if you were at your local PC.

Recently, Red Team Consultant Nikhith Tummalapalli found authentication bypass vulnerability from ThinVNC.

According to Nikhith, “I found an arbitrary file read vulnerability through which the authentication set can be bypassed. An attacker can gain remote terminal access abusing this vulnerability.”

Description of Vulnerability:

Authentication ByPass

Proof of Concept: