On 01/12/2013 05:13 AM, James Harris wrote: > This is a security issue that allowed someone to get remote desktop > access to my Ubuntu machine even though the machine is behind a > firewall. I was going to report it as a bug but from the Launchpad > instructions it seems it is more a policy issue so am reporting it to > the mailing list that the page directed me to. > > Context: > * Recent upgrade to 12.04 LTS. (May or may not be related.) > * Home network behind NAT firewall. > * Home router configured to reject all incoming connections. > > Problem: Someone on the Internet gained access to my Ubuntu machine. > > Cause: Desktop Sharing preferences and other. > > Since the upgrade I found intermittent text on screen that I hadn't > written. It was the same attack as is mentioned at > > http://www.bleepingcomputer.com/forums/topic314188.html > > The router was configured to be completely locked down and reject all > connections from the internet, even ping, but after a lot of looking > for viruses etc I eventually found what I think is the cause. > > Desktop Sharing has a setting: Automatically configure UPnP router to > open and forward ports. This setting was selected. I don't know when > it was turned on but it is not something I would want to use. The > router turned out to be UPnP configurable. This, I think, meant that > the desktop sharing software told the router to open up access. This > is not something I was aware of and I had not selected it. > > How is it best to protect Ubuntu users from unintentionally opening up > access as described above? (If it helps, my other desktop sharing > settings were completely open but nothing warned me of the danger.) > > James
Hi, I just had a quick look here at what the default values for those settings are on a perfectly clean Ubuntu installation. Desktop sharing itself is disabled by default. When enabled, any connection will require explicit user confirmation through a popup message showing on your desktop. UPNP auto-configuration is never done automatically and requires the user to explicitly tick the "Automatically configure UPnP router to open and forward ports" option. So unless someone explicitly enables desktop sharing, then unticks "You must confirm each access to this machine" and ticks "Automatically configure UPnP router to open and forward ports.", what you described above simply isn't possible on an Ubuntu machine. As for clearly stating the risks, here is a copy/paste from the help message as can be accessed from the configuration dialog: """ == Security == It is important that you consider the full extent of what each security option means before changing it. === Confirm access to your machine === If you want to be able to choose whether to allow someone to access your desktop, select You must confirm each access to this machine. If you disable this option, you will not be asked whether you want to allow someone to connect to your computer. This option is enabled by default. === Enable password === To require other people to use a password when connecting to your desktop, select Require the user to enter this password. If you do not use this option, anyone can attempt to view your desktop. This option is disabled by default, but you should enable it and set a secure password. === Allow access to your desktop over the Internet === If your router supports UPnP Internet Gateway Device Protocol and it is enabled, you can allow other people who are not on your local network to view your desktop. To allow this, select Automatically configure UPnP router to open and forward ports. Alternatively, you can configure your router manually. This option is disabled by default. """ So my best guess here is that for some reason you at some point changed those settings and didn't realize what the UPnP option would do and apparently didn't read the help before changing those settings. Then some time later, someone scanned your router's IP address and discovered that the VNC port was open and then either brute-forced any password you may have set or directly connected if you didn't set one. You say you didn't select that setting, but obviously somebody or something did and somebody or something also unset the other setting forcing the confirmation prompt. As a conclusion, I believe the settings we ship Ubuntu with are perfectly sane and safe. It's not impossible that some external software you downloaded may have tempered with those settings, but there's really little we can do about this (as if that's indeed the case, that software may just as well have bundled its own copy of a VNC server). -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: OpenPGP digital signature
-- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
