2024-11-25

A Vanity VNC server (or Joke over RFB)

VNC logo modified to read also Vanity
VNC is a well-known protocol for remote desktop sharing. This blog post is the story of a web project that led to the creation of a "vainity" VNC.

Small note on VNC

VNC is THE remote desktop sharing protocol (along with RDP for Windows).

My recollection was that it wasn't a very secure protocol, and shouldn't be exposed directly on the Internet.

As a matter of fact, there's a project called VNC Resolver that scans all publicly available VNC servers on the Internet (IPv4). One evening, I stumbled upon one of their Mastodon posts publishing a Nyan Cat in full screen, likely a victim of the Trojan horse MEMZ, which replaces an computer's MBR sector with a program displaying an animated Nyan-cat in full screen. I then had the idea to create a small VNC server that would display a joke.

The project

The goal isn't to increase the attack surface of my personal server (or at least, not significantly), nor consume too many resources. I then became interested into the VNC protocol with the aim of displaying a fixed image from a Rust-written VNC server.

VNC is based on the RFB (Remote FrameBuffer) protocol, which is extremely simple and defined in the RFC6143. This simplicity also makes it powerful. It's relatively efficient because it supports partial updates of the "desktop".

In terms of security, I have to admit that it has some weaknesses. There are 2 modes, one without authentication and a password-protected mode, but with no encryption (plain text over the network). Other securities are being considered, but they depend on the provider and aren't standardized. In short, it strongly encourages bad behavior, which confirms my memories of a "risky" protocol. It's worth noting that it has now become common to have a TLS overlay that makes the protocol completely secure, unfortunately, this requires a bit more work.

For my project, I turned to the rfb library and spent about an hour creating a screen. I managed to get this far:

End-of-game screen of Portal, in black and white, modified to display my personal logo and some QR codes along with my contact information.
"Screen" to show on my vanity VNC server.

It's both a "visiting card" and a joke inspirated from the end-of-game screen of Portal.

VNCTrost

After a few attempts, I realized that the rfb crate was not up-to-date. One can work around it, as Cargo allows replacing a dependency with a local version. In my case, I used a git sub-module to get the latest version.

[dependencies]
rfb  = { path = 'deps/rfb' }

Then add the submodule in the Git repo :

$ git submodule add https://github.com/oxidecomputer/rfb deps/rfb

A few minutes later, I had a functional server. I even had fun sending a beep sound when the user types something. 🔔

I then created a dedicated service (template) on my personal server:

$ systemctl edit --full --force vnctrost@.service
$ systemctl start vnctrost@5900 vnctrost@5901

With that configuration :

[Unit]
Description=VNCtrost on port %I
After=network.target

[Service]
PrivateTmp=True
WorkingDirectory=/usr/share/vnctrost/
ExecStart=/usr/bin/vnctrost --port %i --screen /usr/share/vnctrost/screen-rfp.png
Restart=on-failure
User=XXXX
Group=XXXX
Environment="RUST_LOG=INFO"

[Install]
WantedBy=multi-user.target

The server is now available at ache.one:5900 and ache.one:5901.
I invite you to try it with any VNC client.

The server source code is available at my git server.

The logs

I was quite surprised by the number of connections made to these servers. About 1 connection attempt per hour.

Here are the logs in real time:

Doesn't it already exist?

I'm absolutely not the first to do this. I found some publicly available VNC servers that were similar, often with server names that hinted at it.

One of this servers was named « chloe was here ».

Two ponies from &quote;My Little Pony&quote; who are kissing. Starlight, with confidence, is gently kissing Trixie, who looks slightly flustered.
The server was named « chloe was here »

The server 83.249.96.136, which appears to be a server of Tele2, a Swedish operator.

A rabbit who is sleeping, snoring softly on his back. A simple black pencil drawing on a white background.
The server was named « x11vnc »

Many servers like 166.151.167.106 and 166.255.108.226 have multiple VNC servers, whose names indicate things like "just so you know this is literally me" or "i am a lesbian pony with weapons". I'm very intrigued by these servers that seem to be "claims" of a hacktivist more than anything else. I can't connect to them anymore but they're indexed by shodan.io and the "VNC resolver".

An anthropomorphized fox seen from the waist up. The gender is not identifiable. A black t-shirt with
The server was named « just so you know this is literally me »
A drawing of the characters Susie and Noelle from the game Deltarune. They are kissing, with a blush.
The server was named « i am a lesbian pony with weapons »

(The original artwork is from Rozavive).

Another absolutely incomprehensible one: this server is that of @mastodon.staropa.net@1024x2, and it seems like the hacker is Litevex, but he claims to have hacked htwins.net. 😵‍💫 What so ever, here is it:

A very basic drawing of Mario in white pencil on a black background, recognizable by the
The server was named « litevex hacked htwins.net »

Regarding claims, VNC (Virtual Network Computing) is an alternative means to defacing a website in cyberwarfare.

A screen of a claim of war against Israel, on a red background with the
The server was named « 4629C81 »

See you next time for an article on web animation... Or QR codes. 🤷

fr