Desktop sharing - security issue

Stéphane Graber stgraber at ubuntu.com
Sat Jan 19 23:47:03 UTC 2013


On 01/12/2013 05:13 AM, James Harris wrote:
> This is a security issue that allowed someone to get remote desktop
> access to my Ubuntu machine even though the machine is behind a
> firewall. I was going to report it as a bug but from the Launchpad
> instructions it seems it is more a policy issue so am reporting it to
> the mailing list that the page directed me to.
> 
> Context:
>  * Recent upgrade to 12.04 LTS. (May or may not be related.)
>  * Home network behind NAT firewall.
>  * Home router configured to reject all incoming connections.
> 
> Problem: Someone on the Internet gained access to my Ubuntu machine.
> 
> Cause: Desktop Sharing preferences and other.
> 
> Since the upgrade I found intermittent text on screen that I hadn't
> written. It was the same attack as is mentioned at
> 
>   http://www.bleepingcomputer.com/forums/topic314188.html
> 
> The router was configured to be completely locked down and reject all
> connections from the internet, even ping, but after a lot of looking
> for viruses etc I eventually found what I think is the cause.
> 
> Desktop Sharing has a setting: Automatically configure UPnP router to
> open and forward ports. This setting was selected. I don't know when
> it was turned on but it is not something I would want to use. The
> router turned out to be UPnP configurable. This, I think, meant that
> the desktop sharing software told the router to open up access. This
> is not something I was aware of and I had not selected it.
> 
> How is it best to protect Ubuntu users from unintentionally opening up
> access as described above? (If it helps, my other desktop sharing
> settings were completely open but nothing warned me of the danger.)
> 
> James

Hi,

I just had a quick look here at what the default values for those
settings are on a perfectly clean Ubuntu installation.

Desktop sharing itself is disabled by default.
When enabled, any connection will require explicit user confirmation
through a popup message showing on your desktop.

UPNP auto-configuration is never done automatically and requires the
user to explicitly tick the "Automatically configure UPnP router to open
and forward ports" option.


So unless someone explicitly enables desktop sharing, then unticks "You
must confirm each access to this machine" and ticks "Automatically
configure UPnP router to open and forward ports.", what you described
above simply isn't possible on an Ubuntu machine.

As for clearly stating the risks, here is a copy/paste from the help
message as can be accessed from the configuration dialog:
"""
== Security ==
It is important that you consider the full extent of what each security
option means before changing it.

=== Confirm access to your machine ===
If you want to be able to choose whether to allow someone to access your
desktop, select You must confirm each access to this machine. If you
disable this option, you will not be asked whether you want to allow
someone to connect to your computer.
This option is enabled by default.

=== Enable password ===
To require other people to use a password when connecting to your
desktop, select Require the user to enter this password. If you do not
use this option, anyone can attempt to view your desktop.
This option is disabled by default, but you should enable it and set a
secure password.

=== Allow access to your desktop over the Internet ===
If your router supports UPnP Internet Gateway Device Protocol and it is
enabled, you can allow other people who are not on your local network to
view your desktop. To allow this, select Automatically configure UPnP
router to open and forward ports. Alternatively, you can configure your
router manually.
This option is disabled by default.
"""

So my best guess here is that for some reason you at some point changed
those settings and didn't realize what the UPnP option would do and
apparently didn't read the help before changing those settings.
Then some time later, someone scanned your router's IP address and
discovered that the VNC port was open and then either brute-forced any
password you may have set or directly connected if you didn't set one.


You say you didn't select that setting, but obviously somebody or
something did and somebody or something also unset the other setting
forcing the confirmation prompt.

As a conclusion, I believe the settings we ship Ubuntu with are
perfectly sane and safe. It's not impossible that some external software
you downloaded may have tempered with those settings, but there's really
little we can do about this (as if that's indeed the case, that software
may just as well have bundled its own copy of a VNC server).

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20130119/341b2fcc/attachment.pgp>


More information about the ubuntu-devel mailing list