From 823455c481ecd6ed1e87678c1bd0ce8bad6e6ec2 Mon Sep 17 00:00:00 2001
From: Marios Levogiannis <mlevogiannis@noc.grnet.gr>
Date: Mon, 25 Jul 2022 13:30:29 +0300
Subject: [PATCH] Fix CVE-2022-36436 - Authentication bypass in RFB security
 handshake

---
 vncap/vnc/protocol.py | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/vncap/vnc/protocol.py b/vncap/vnc/protocol.py
index aee50d3..d1351bd 100644
--- a/vncap/vnc/protocol.py
+++ b/vncap/vnc/protocol.py
@@ -73,8 +73,8 @@ def check_version(self, version):
 
         if version == self.VERSION:
             log.msg("Client version %s is valid" % version.strip())
-            # Hardcoded: 2 security types: None and VNC Auth.
-            self.transport.write("\x02\x01\x02")
+            # Hardcoded: 1 security type: VNC Auth.
+            self.transport.write("\x01\x02")
             return self.select_security_type, 1
         else:
             log.err("Can't handle VNC version %r" % version)
@@ -93,9 +93,6 @@ def select_security_type(self, security_type):
             self.transport.write(self.challenge)
 
             return self.vnc_authentication_result, 16
-        elif security_type == 1:
-            # No authentication. Just move to the SecurityResult.
-            self.authenticated()
         else:
             log.err("Couldn't agree on an authentication scheme!")
             self.transport.loseConnection()