Desktop sharing - security issue

Tue Jan 22 09:03:28 UTC 2013

Since Ubuntu doesn't ship with a firewall enabled by default, you'll never
know what happened here - there may be some logs in /var/log/auth.log, but
anything useful is unlikely. In fact, I'm fairly certain that desktop
sharing doesn't log access attempts in there at all.

Your best bet now will be to immediately enable your ufw/iptables firewall
on your device. My advice would be to install gufw (sudo apt-get install
gufw) and run it (search for fw in the Dash), then also enable logs. You'll
see what's allowed through your router via uPnP and then blocked by your
Ubuntu PC.

Obviously, you should also disable that uPnP option if you can, or better
still, configure your router to ignore uPnP requests, if it allows this.

Neil.

On 19 January 2013 23:47, Stéphane Graber <stgraber at ubuntu.com> wrote:

> On 01/12/2013 05:13 AM, James Harris wrote:
> > This is a security issue that allowed someone to get remote desktop
> > access to my Ubuntu machine even though the machine is behind a
> > firewall. I was going to report it as a bug but from the Launchpad
> > instructions it seems it is more a policy issue so am reporting it to
> > the mailing list that the page directed me to.
> >
> > Context:
> >  * Recent upgrade to 12.04 LTS. (May or may not be related.)
> >  * Home network behind NAT firewall.
> >  * Home router configured to reject all incoming connections.
> >
> > Problem: Someone on the Internet gained access to my Ubuntu machine.
> >
> > Cause: Desktop Sharing preferences and other.
> >
> > Since the upgrade I found intermittent text on screen that I hadn't
> > written. It was the same attack as is mentioned at
> >
> >   http://www.bleepingcomputer.com/forums/topic314188.html
> >
> > The router was configured to be completely locked down and reject all
> > connections from the internet, even ping, but after a lot of looking
> > for viruses etc I eventually found what I think is the cause.
> >
> > Desktop Sharing has a setting: Automatically configure UPnP router to
> > open and forward ports. This setting was selected. I don't know when
> > it was turned on but it is not something I would want to use. The
> > router turned out to be UPnP configurable. This, I think, meant that
> > the desktop sharing software told the router to open up access. This
> > is not something I was aware of and I had not selected it.
> >
> > How is it best to protect Ubuntu users from unintentionally opening up
> > access as described above? (If it helps, my other desktop sharing
> > settings were completely open but nothing warned me of the danger.)
> >
> > James
>
> Hi,
>
> I just had a quick look here at what the default values for those
> settings are on a perfectly clean Ubuntu installation.
>
> Desktop sharing itself is disabled by default.
> When enabled, any connection will require explicit user confirmation
> through a popup message showing on your desktop.
>
> UPNP auto-configuration is never done automatically and requires the
> user to explicitly tick the "Automatically configure UPnP router to open
> and forward ports" option.
>
>
> So unless someone explicitly enables desktop sharing, then unticks "You
> must confirm each access to this machine" and ticks "Automatically
> configure UPnP router to open and forward ports.", what you described
> above simply isn't possible on an Ubuntu machine.
>
> As for clearly stating the risks, here is a copy/paste from the help
> message as can be accessed from the configuration dialog:
> """
> == Security ==
> It is important that you consider the full extent of what each security
> option means before changing it.
>
> === Confirm access to your machine ===
> If you want to be able to choose whether to allow someone to access your
> desktop, select You must confirm each access to this machine. If you
> disable this option, you will not be asked whether you want to allow
> someone to connect to your computer.
> This option is enabled by default.
>
> === Enable password ===
> To require other people to use a password when connecting to your
> desktop, select Require the user to enter this password. If you do not
> use this option, anyone can attempt to view your desktop.
> This option is disabled by default, but you should enable it and set a
> secure password.
>
> === Allow access to your desktop over the Internet ===
> If your router supports UPnP Internet Gateway Device Protocol and it is
> enabled, you can allow other people who are not on your local network to
> view your desktop. To allow this, select Automatically configure UPnP
> router to open and forward ports. Alternatively, you can configure your
> router manually.
> This option is disabled by default.
> """
>
> So my best guess here is that for some reason you at some point changed
> those settings and didn't realize what the UPnP option would do and
> apparently didn't read the help before changing those settings.
> Then some time later, someone scanned your router's IP address and
> discovered that the VNC port was open and then either brute-forced any
> password you may have set or directly connected if you didn't set one.
>
>
> You say you didn't select that setting, but obviously somebody or
> something did and somebody or something also unset the other setting
> forcing the confirmation prompt.
>
> As a conclusion, I believe the settings we ship Ubuntu with are
> perfectly sane and safe. It's not impossible that some external software
> you downloaded may have tempered with those settings, but there's really
> little we can do about this (as if that's indeed the case, that software
> may just as well have bundled its own copy of a VNC server).
>
> --
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com
>
>
> --
> ubuntu-devel mailing list
> ubuntu-devel at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
>
>

-- 
*Do not me Word attachments in email
See http://www.gnu.org/philosophy/no-word-attachments.html
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20130122/80fefeb6/attachment.html>