A Vanity VNC server (or Joke over RFB)
VNC is a well-known protocol for remote desktop sharing. This blog post is the story of a web project that led to the creation of a "vainity" VNC.
Small note on VNC
VNC is THE remote desktop sharing protocol (along with RDP for Windows).
My recollection was that it wasn't a very secure protocol, and shouldn't be exposed directly on the Internet.
As a matter of fact, there's a project called VNC Resolver that scans all publicly available VNC servers on the Internet (IPv4). One evening, I stumbled upon one of their Mastodon posts publishing a Nyan Cat in full screen, likely a victim of the Trojan horse MEMZ, which replaces an computer's MBR sector with a program displaying an animated Nyan-cat in full screen. I then had the idea to create a small VNC server that would display a joke.
The project
The goal isn't to increase the attack surface of my personal server (or at least, not significantly), nor consume too many resources. I then became interested into the VNC protocol with the aim of displaying a fixed image from a Rust-written VNC server.
VNC is based on the RFB (Remote FrameBuffer) protocol, which is extremely simple and defined in the RFC6143. This simplicity also makes it powerful. It's relatively efficient because it supports partial updates of the "desktop".
In terms of security, I have to admit that it has some weaknesses. There are 2 modes, one without authentication and a password-protected mode, but with no encryption (plain text over the network). Other securities are being considered, but they depend on the provider and aren't standardized. In short, it strongly encourages bad behavior, which confirms my memories of a "risky" protocol. It's worth noting that it has now become common to have a TLS overlay that makes the protocol completely secure, unfortunately, this requires a bit more work.
For my project, I turned to the rfb library and spent about an hour creating a screen. I managed to get this far:
It's both a "visiting card" and a joke inspirated from the end-of-game screen of Portal.
VNCTrost
After a few attempts, I realized that the rfb crate was not up-to-date. One can work around it, as Cargo allows replacing a dependency with a local version. In my case, I used a git sub-module to get the latest version.
[dependencies]
rfb = { path = 'deps/rfb' }
Then add the submodule in the Git repo :
$ git submodule add https://github.com/oxidecomputer/rfb deps/rfb
A few minutes later, I had a functional server. I even had fun sending a beep sound when the user types something. 🔔
I then created a dedicated service (template) on my personal server:
$ systemctl edit --full --force vnctrost@.service
$ systemctl start vnctrost@5900 vnctrost@5901
With that configuration :
[Unit]
Description=VNCtrost on port %I
After=network.target
[Service]
PrivateTmp=True
WorkingDirectory=/usr/share/vnctrost/
ExecStart=/usr/bin/vnctrost --port %i --screen /usr/share/vnctrost/screen-rfp.png
Restart=on-failure
User=XXXX
Group=XXXX
Environment="RUST_LOG=INFO"
[Install]
WantedBy=multi-user.target
The server is now available at ache.one:5900
and ache.one:5901
.
I invite you to try it with any VNC client.
The server source code is available at my git server.
The logs
I was quite surprised by the number of connections made to these servers. About 1 connection attempt per hour.
Here are the logs in real time:
Doesn't it already exist?
I'm absolutely not the first to do this. I found some publicly available VNC servers that were similar, often with server names that hinted at it.
One of this servers was named « chloe was here ».
The server 83.249.96.136, which appears to be a server of Tele2, a Swedish operator.
Many servers like 166.151.167.106 and 166.255.108.226 have multiple VNC servers, whose names indicate things like "just so you know this is literally me" or "i am a lesbian pony with weapons". I'm very intrigued by these servers that seem to be "claims" of a hacktivist more than anything else. I can't connect to them anymore but they're indexed by shodan.io and the "VNC resolver".
(The original artwork is from Rozavive).
Another absolutely incomprehensible one: this server is that of @mastodon.staropa.net@1024x2, and it seems like the hacker is Litevex, but he claims to have hacked htwins.net. 😵💫 What so ever, here is it:
Regarding claims, VNC (Virtual Network Computing) is an alternative means to defacing a website in cyberwarfare.
See you next time for an article on web animation... Or QR codes. 🤷