Possible Security Concern

Vine
1

Earlier today, I noticed that my cursor was moving spontaneously, and that typing was occurring without my input. I immediately disconnected from the network and took a look at my system log files.

I noticed that the Vine VNC server was running with no password protection. I immediately launched the Vine Server application to check its settings, and found that in fact a password had been set. I clicked on the “Stop Server” button, and the user interface indicated that “The server is not running”. However, when I took a look at the active processes using the process status (PS) command, I found that the Vine Server was still running. A port scan against the loopback address confirmed that.

When I killed the Vine VNC process with “kill -9”, it immediately re-spawned a new, active VNC process.

So my questions are:

  1. Under what condition would the Vine VNC server launch with no password protection in spite of a password being set in the user interface?

  2. Under what condition would the Vine VNC server continue to run and listen for incoming connections after I had clicked on the “Stop Sever” button in the user interface?

  3. Why would Vine automatically re-spawn a new VNC server process when the user interface indicated that the process was not running?

Here is the relevant entry from my system log:

Mar  2 13:19:12 173-100-55-23 com.apple.launchd.peruser.501[151] (VineServer[7740]): Exited: Killed
Mar  2 13:19:12 173-100-55-23 OSXvnc-server[9180]: Arguments: -rfbport 5900 -desktop 174-153-167-131.pools.spcsdns.net -rfbnoauth -SystemServer 1 -restartonuserswitch N -UnicodeKeyboard 0 -keyboardLoading Y -pressModsForKeys Y -EventTap 3 -swapButtons -rendezvous Y 
Mar  2 13:19:12 173-100-55-23 OSXvnc-server[9180]: Warning: No Auth specified, running with no password protection
Mar  2 13:19:12 173-100-55-23 OSXvnc-server[9180]: Main Bundle: /Library/Application Support/VineServer
Mar  2 13:19:12 173-100-55-23 OSXvnc-server[9180]: Loading Bundle /Library/Application Support/VineServer/Resources/TigerBundle.bundleMar  2 13:19:12 173-100-55-23 OSXvnc-server[9180]: Running in Little Endian
Mar  2 13:19:12 173-100-55-23 OSXvnc-server[9180]: Waiting for clients
Mar  2 13:19:12 173-100-55-23 OSXvnc-server[9180]: Using Private Event Source
Mar  2 13:19:12 173-100-55-23 OSXvnc-server[9180]: Using Dynamic Event Tap -- HID for console userMar  2 13:19:12 173-100-55-23 OSXvnc-server[9180]: Started Listener Thread on port 5900

OS: Mac OS X 10.6.2
Vine Sever: 3.1.2b2
Connection type: PPP via Sprint PCS Wireless Broadband

2

Thanks for your post, we take issues of security very seriously. Vine Server can be set to run as an application or it can be set to run as a System wide server that will run at the login panel and across user sessions (essentially showing whatever the main display shows).

You can access the settings for the System Server by choosing System Server from the Server menu. It will explicitly warn about running with no password and it will never do that automatically, a person with root access to the machine must explicitly set that up. In this case you can tell that this was done by looking at the log you posted with these startup parameters:[list]
-rfbnoauth (Specifically request no password)
-SystemServer 1 (Run as a system level server across user session)
[/list:u]

3

Yep, that was it exactly.

I accept responsibility for this misconfiguration, but I might suggest that it is slightly confusing to see that a password has been set in the Connection tab of the Vine Server Preferences window when the System Server is running in the background with no password required.

Similarly, it is confusing to see a user interface that indicates “The server is not running.” when the System Server is running in the background.

It seems like the configuration settings could be consolidated to reduce the likelihood of this kind of user error.

Cheers, and thanks for the quick reply.
-Jason Sewell

4

where is 3.1.2b2 available?

5

http://www.redstonesoftware.com/downloads/VineServer3.1Beta2.dmg