[Bug 2088433] Re: Problems with tigervncserver copying credential files to /tmp

Juha Aatrokoski 2088433 at bugs.launchpad.net
Tue Nov 19 09:00:03 UTC 2024 

Uh-oh, bad news: I just tested it, and looks like Xtigervnc does not
check the owner/permissions of the password file at runtime, so if/when
the /tmp/tigervnc.XXXXXX directory is removed, an attacker can hijack
the VNC session by recreating the directory and password file (I did not
test with other credential files, but presumably they work the same). So
this is then also a security vulnerability.

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2088433

Title:
  Problems with tigervncserver copying credential files to /tmp

Status in systemd package in Ubuntu:
  Won't Fix
Status in tigervnc package in Ubuntu:
  New

Bug description:
  (Ubuntu 24.04.1, TigerVNC 1.13.1+dfsg-2build2)

  On startup, tigervncserver (via Wrapper.pm) copies ~/.vnc/passwd (and
  other credential files) into /tmp/tigervnc.XXXXXX directory and tells
  Xtigervnc to use those instead. There are at least two problems with
  this:

  1: On Ubuntu, automatic age-based cleaning of /tmp is enabled by
  default. This is problematic in general (see bug #2088268), but
  specifically the /tmp/tigervnc.XXXXXX directory can get removed. If
  /tmp has the noatime mount option, the removal always happens 30 days
  after the VNC server is started. Without noatime, the removal happens
  if there is a 30 day period without any new connections to the VNC
  server. When the directory is removed, the VNC server becomes
  inaccessible.

  2: If the credential files (e.g. password) in ~/.vnc/ are changed, the
  running VNC server will not pick this up and will continue to use the
  old cached credential files.

  I think there should at least be a mechanism to enable/disable this
  caching behavior via a configuration file (or a command line
  argument). Also, if such caching is done, I think the proper location
  would be under $XDG_RUNTIME_DIR instead of /tmp.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2088433/+subscriptions

More information about the foundations-bugs mailing list