RDP via SSH Tunnel -> Vulnerability or Security Violation ?!

[Akytarus]

Why does this work - It allows a Non-Admin account to connect to, and view/control and Admin Session without the Admin password?!

ssh -p 2244 akytarus@remote-host -L 15900:127.0.0.1:5900
(login as non-admin account)

**Crazy thing is I'm doing this over the public internet from one computer in country A to a totally different computer in country B (Over 8,300 Km's)...!


so RDP to localhost port 15900...

leads to...

View of Admin Desktop with complete remote control without being asked for permission on the remote side...?!

 

[bogdanw]

Apple: "Report a security or privacy vulnerability
If you believe that you have discovered a security or privacy vulnerability in an Apple product, please report it to us."
https://support.apple.com/en-us/HT201220

 

[lukas.j]

"Share the display" is a request to the user on the other computer. Without his/her confirmation by clicking on "Allow XY to watch your display", you won't gain access.

 

[Akytarus]

"Share the display" is a request to the user on the other computer. Without his/her confirmation by clicking on "Allow XY to watch your display", you won't gain access. I have verified this mutiple times with someone watching on the remote computer.

It does not ask or prompt the other remote computer for permission. After clicking connect the shared desktop is immediately displayed with full access. This is the problem.

 

[jaytv111]

You use a password on the SSH side to login to the computer.

On the RDP side you need to review this article and figure out the access privileges you want; https://support.apple.com/guide/remote-desktop/set-access-privileges-apdfab787da/mac

Normally people don't have VNC server enabled on their Mac (by default it's firewalled and disabled). And they don't port forward from NAT the VNC port to their Mac. The biggest risk is if they enabled all this and didn't figure out how to use the access controls properly.

 

[Akytarus]

You use a password on the SSH side to login to the computer.

On the RDP side you need to review this article and figure out the access privileges you want; https://support.apple.com/guide/remote-desktop/set-access-privileges-apdfab787da/mac

Normally people don't have VNC server enabled on their Mac (by default it's firewalled and disabled). And they don't port forward from NAT the VNC port to their Mac. The biggest risk is if they enabled all this and didn't figure out how to use the access controls properly.

This is what client wants...

Secure remote access to remote computer on a account per account basses.

MAC1 -> SSH Tunnel via public internet to MAC2 -> Map MAC2 RDP Port via Secure SSH Tunnel back to MAC1 via Localhost Loopback Port -> Create RDP Session to mapped Loopback Port on MAC1

But be limited by only being able to start or connect to there own "User Account" session not anyone else's (especially not an Admin Session).

What happens is once the SSH tunnel is created with the embedded "Remote RDP Port to Localhost RDP Port MAP" an RDP session is created (127.0.0.1:15900) making the local MAC think the session is Local and not remote allowing the session to connect to any sessions that are running on the remote host MAC2 No Questions Asked.

Possibly because the Current MAC1 is logged into a local admin account but definitely not the same admin account as the remote MAC2 computer. (Broken Security)!

Now if I try this on a local network between two Mac's not using a local loopback re-mapped port e.g. 192.168.1.101:15900 ... I'm prompted each time to enter the current user sessions password or the remote host is given a pop-up to allow control (Working security as expected)!

 

[jaytv111]

This is what client wants...

Secure remote access to remote computer on a account per account basses.

MAC1 -> SSH Tunnel via public internet to MAC2 -> Map MAC2 RDP Port via Secure SSH Tunnel back to MAC1 via Localhost Loopback Port -> Create RDP Session to mapped Loopback Port on MAC1

But be limited by only being able to start or connect to there own "User Account" session not anyone else's (especially not an Admin Session).

What happens is once the SSH tunnel is created with the embedded "Remote RDP Port to Localhost RDP Port MAP" an RDP session is created (127.0.0.1:15900) making the local MAC think the session is Local and not remote allowing the session to connect to any sessions that are running on the remote host MAC2 No Questions Asked.

Possibly because the Current MAC1 is logged into a local admin account but definitely not the same admin account as the remote MAC2 computer. (Broken Security)!

Now if I try this on a local network between two Mac's not using a local loopback re-mapped port e.g. 192.168.1.101:15900 ... I'm prompted each time to enter the current user sessions password or the remote host is given a pop-up to allow control (Working security as expected)!

And what account is being used on the SSH side? Because it's only getting access that's granted to the SSH user you are using to login. If that user has admin access then there's your problem. It wouldn't matter if it's VNC or SSH, the user still has access to what it has been granted to.

You basically gave the user all this access from the SSH side, then you complain that it's not limiting your access on the VNC side. That's not an effective security solution. Someone who knows terminals will be able to screw around with admin access without needing VNC at all.

 

[Akytarus]

And what account is being used on the SSH side? Because it's only getting access that's granted to the SSH user you are using to login. If that user has admin access then there's your problem. It wouldn't matter if it's VNC or SSH, the user still has access to what it has been granted to.

You basically gave the user all this access from the SSH side, then you complain that it's not limiting your access on the VNC side. That's not an effective security solution. Someone who knows terminals will be able to screw around with admin access without needing VNC at all.

The SSH login is in User Land and is NOT an Admin Account... Just the computer being used is logged into its main OS account (computer in front of me) * (Not the SSH Tunnel) so it should not have any Admin Access at all to a remote system..?!?!

 

[jaytv111]

The SSH login is in User Land and is NOT an Admin Account... Just the computer being used is logged into its main OS account (computer in front of me) * (Not the SSH Tunnel) so it should not have any Admin Access at all to a remote system..?!?!

If you need to configure what remote users are allowed then follow this: https://www.wikihow.com/Set-Up-VNC-on-Mac-OS-X

Look at the part where it says "allow access only for these users" and put in users you want to be able to access it at all.

I'm pretty sure just by being able to SSH into the machine you're granted access to the screen by itself. On most systems you can set up display forwarding and start X11, Mac is no different in that regard. Again all the access granted to the remote user is granted by the SSH session. If something needs admin access, it will probably prompt you for the password. A lot like how sudo-ing is usually done by entering the password at the prompt.

 

[svenmany]

Why are you saying "RDP" in any of this? You're just using VNC, right? If I let myself be too literal when reading your diagram, it seems like you're trying to get VNC access to a screen that is running some admin user's RDP session?

The top 6 blue boxes are doing something trivial, just setting up port forwarding from the local machine's 15900 to the remote machine's 5900. It seems the remote machine, with respect to the request to share the screen, is simply seeing the request as if coming from a person sitting at that machine. I assume that the credentials you give are credentials for a non-admin user on the remote machine. Is that right?

 

[Akytarus]

Why are you saying "RDP" in any of this? You're just using VNC, right? If I let myself be too literal when reading your diagram, it seems like you're trying to get VNC access to a screen that is running some admin user's RDP session?

The top 6 blue boxes are doing something trivial, just setting up port forwarding from the local machine's 15900 to the remote machine's 5900. It seems the remote machine, with respect to the request to share the screen, is simply seeing the request as if coming from a person sitting at that machine. I assume that the credentials you give are credentials for a non-admin user on the remote machine. Is that right?

^^ Answer: Yes - Using a non-admin user for both SSH and Session/Screen Sharing ^^

RDP = Remote Desktop Protocol - I don't know what else to call it as I am NOT using "VNC", "RealVNc" "TightVNC" etc.

I'm NOT trying to connect to an Admin account session on a remote machine. I just want the SSH user account used to connect to the remote machine to connect to there own desktop session and not be able to choose who ever else's session they want including say any Admin session that happen to be running! This doesn't seem to be right.

FYI... I'm using Apples own software to connect thats why I call it RDP or I guess just call it "Screen Sharing".
I Thought Apple had it own proprietary system protocol. Does it really only use some variant of VNC protocol ? as I have all VNC option switched off in OSX's Sharing/Managment settings.

 

[svenmany]

^^ Answer: Yes - Using a non-admin user for both SSH and Session/Screen Sharing ^^

RDP = Remote Desktop Protocol - I don't know what else to call it as I am NOT using "VNC", "RealVNc" "TightVNC" etc.

I'm NOT trying to connect to an Admin account session on a remote machine. I just want the SSH user account used to connect to the remote machine to connect to there own desktop session and not be able to choose who ever else's session they want including say any Admin session that happen to be running! This doesn't seem to be right.

FYI... I'm using Apples own software to connect thats why I call it RDP or I guess just call it "Screen Sharing".
I Thought Apple had it own proprietary system protocol. Does it really only use some variant of VNC protocol ? as I have all VNC option switched off in OSX's Sharing/Managment settings.

RDP is a Microsoft protocol. Port 5900 is the usual port for the VNC protocol. Apple's screen sharing is based on the VNC protocol. So I was being too literal when reading your post. Sorry I added that noise to the discussion.

If you really have duplicated the exact security settings when testing without port forwarding, then you might have discovered an exploit that should be reported. But, you should check very carefully for any configuration differences between the two scenarios that you've set up.

In the port forwarding setup, the remote machine thinks a VNC connection is being initiated from loopback interface rather than an external one. I suppose Apple's VNC server could be dropping its guard with respect to that private network interface, but I think that's a stretch. Try to port forward to the remote machine's external address instead; see if that makes a difference.

As an aside, the choice of ssh user is unrelated to the user trying to establish the screen sharing session. The ssh user is simply setting up the ssh tunnel. The screen sharing session is using that tunnel and different credentials can be supplied for that session.