Ubuntu

no logs or log files in vino

Reported by H.S. on 2009-02-16
58
This bug affects 11 people
Affects Status Importance Assigned to Milestone
vino
In Progress
Wishlist
vino (Ubuntu)
Wishlist
Unassigned

Bug Description

Hello,

This is on a fully updated Ubuntu Hardy.

It appears that Vino does not save any logs anywhere in /var/log directory. I was not able find any logs in ~/ directory either.

Logs files are extremely useful in debugging if something went wrong or to audit a system to examine a security breach.

It would be great idea if logging feature is enable in Vino and logs are obtained either in /var/log or ~/.vino directories somewhere.

Regards.
->HS

CVE References

Sebastien Bacher (seb128) wrote :

Thank you for your bug report. The issue is an upstream one and it would be nice if somebody having it could send the bug the to the people writting the software (https://wiki.ubuntu.com/Bugs/Upstream/GNOME)

Changed in vino (Ubuntu):
importance: Undecided → Wishlist
Jonh Wendell (wendell) on 2009-10-19
Changed in vino:
importance: Undecided → Unknown
status: New → Unknown
Changed in vino (Ubuntu):
status: New → Triaged
Bill Wheatley (bwheatley) wrote :

Seeing as someone just remotely connected to my vino server even though i said only connections via localhost (ssh tunnel). It would have been nice to be able to read vino logs to see wtf was going on.

Changed in vino:
status: Unknown → Confirmed
J M Smith (cob-amplifier) wrote :

It appears that I had the same thing happen to me today... vino version 2.28.2-0ubuntu2. I also

Appeared to be someone controlling my desktop - I was able to simultaneously (with the apparent invader) control the mouse pointer and was able to shut the system down. Since vino has no apparent logging system, I don't have any other details. None of my other logs seem to show anything funny going on.

Changed in vino:
importance: Unknown → Medium

I just had a similar experience. Someone (two IPs) just connected to my machine. I had set only to listen on local network as well and also require a password. First person to connect seemed like a bot scanner and didnt do anything. The IPs first octet was in the 88.x.x.x I believe. Next, a person connected from their residential Internet address a few minutes later and I opened up a text editor to alert the connecting person that I knew what was up. They typed back into my text editor and confirmed that they were human. So, from all this, I am very concerned for a few reasons because there might be some vulnerability being exploited. Here are the things I am considering...

* DMZ host or NAT port forwarding allowed external user to connect to internal interface (was enabled in my case)
* password was guessed (possible)
* someone has 0day to bypass VNC password prompt (improbable, but not totally unlikely given the recent VNC noauth bug that was published)

Only way to find out would be to see some better logging. For instance, did the remote attacker authenticate with a password or not??? And what were the IPs of both connecting users? I will not know now because of the failure to log this information by vino server. If there is a 0day, lots of vino/vnc users are going to be in trouble...

I think this should now be tagged as a security vulnerability since multiple people with complex passwords protecting their Vino servers have been compromised. It makes me think that Vino is vulnerable to the same vulnerability, or something similar, as below.

http://secunia.com/advisories/20107

Changed in vino (Ubuntu):
status: Triaged → Confirmed
Miguel Tavares (stryng) wrote :

Logs location under /home/.xsession-error* as follows:

1 - mtavares@ubuntu:~$ cd ~; find ./ -exec grep -il "vino" {} \;|grep xsession|while read line; do grep vino $line; done
vino-server: Fatal IO error 11 (Resource temporarily unavailable) on X server :0.0.

Also and for debugging:

netstat -antp|grep 5900|awk -F" " '{print $7}'|awk -F"/" '{print $1}'|tail -1|while read line; do ps -ef|grep $line; done|grep -v grep|awk -F" " '{print $3}'|xargs sudo strace -p

Regards
Miguel Tavares

bpowell (bpowell2008) wrote :

@Miguel: These commands may show errors Vino through that caused a problem with execution, but the main issue (at least to me) is there is no logging of when a client connected to Vino (either successfully, or failed password). I would like to know the following:

1: Time of connection attempt
2: Source IP
3: Failed password attempts
4: Successful connection time
5: Connection duration.

Also, these needs to be available via System > Administration > Log File Viewer.

kristian is spot-on; this is a security issue. I can't very well tell folks how secure Ubuntu is if I can't properly audit who's logged into the system remotely via Vino (which is the default Ubuntu VNC server)

BP

dandor (dandorfs) wrote :

I also miss the logging feature from Vino. Today somebody started to control my desktop while I was on mobilenet connection. I was very careless and supposed that I always will use my laptop from behind a nat router. Some months ago I supposed to set up vino temporarily without password and after this I forgot about that. Now while I was on my mobilenet connection without proper firewall set up somebody spotted the open vnc port on my machine and started controlling my desktop remotely. Now I would be very useful to analyze the logs of vino to identify the attacker. I guess there can be a lot of careless users in similar situation with forgotten vino servers who would be curious about the details of attacks since it is gome's default remote desktop tool.

Moz (moz-mozster) wrote :

just to add that I experienced a similar issue...

- vnc port was NOT open on the router
- upnp was enabled
- vino was not configured with a password

somebody connected to my pc and was trying to do something with the broadcast accounts - maybe post something to twitter? I'm not sure if it was a bot or a person...

I've since disabled upnp and vino, but would be useful to know further details from a vino log...

Changed in vino:
importance: Medium → Wishlist
status: Confirmed → In Progress

Exactly the same as everyone else: forgot about PnP, forgot that vino was enabled. Had an intrusion I spotted, but there's no log.

It's quite unbelievable that vino does not have a log, and I wouldn't call this a wishlist item. I'd call it a critical security issue.

This bug appears to be a huge security problem that allows remote clipboard
access. Vino should be considered insecure and untrustworthy.

References:
  http://www.ubuntu.com/usn/usn-1701-1
On Apr 19, 2012 5:30 PM, "JeffV" <email address hidden> wrote:

> Exactly the same as everyone else: forgot about PnP, forgot that vino
> was enabled. Had an intrusion I spotted, but there's no log.
>
> It's quite unbelievable that vino does not have a log, and I wouldn't
> call this a wishlist item. I'd call it a critical security issue.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/330310
>
> Title:
> no logs or log files in vino
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/vino/+bug/330310/+subscriptions
>

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.