[X2go-Dev] Untrusted library search path in x2gostartagent bash script

[Hayawardh V]

Hi,

There is an untrusted library search path vulnerability in x2gostartagent.

Lines 188,189 in /usr/bin/x2gostartagent in the Ubuntu PPA package say:

LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${X2GO_LIB}"
export LD_LIBRARY_PATH

If one of these are empty, then there will be an empty addendum to
LD_LIBRARY_PATH, which will make ld search for libraries in the current
working directory.

Programs xauth, x2goserver-run-extensions and x2gofeature (and the programs
further spawned by them, including perl, basename, find, grep, sort, bash
etc.) are launched with this insecure LD_LIBRARY_PATH.

Thus, the current working directory will be searched for shared libraries
when this command is launched.

Usually, x2gostartagent is launched over ssh, and the current working
directory will be the user's home directory.

The problem is that if a user is tricked into downloading a malicious
library off the Internet and saves it into his home directory, this
malicious library will be loaded and can take control of the user's process
when an x2go session is launched.

The fix is simply to check if either LD_LIBRARY_PATH or X2GO_LIB are empty.
I am pasting the patch below.

Please keep me updated on this issue.

Thanks,
Hayawardh Vijayakumar

--- /usr/bin/x2gostartagent     2012-01-05 17:48:07.843705023 -0500
+++ /usr/bin/x2gostartagent.fixed       2012-01-05 16:44:41.839705377 -0500
@@ -184,8 +184,13 @@

 X2GO_COOKIE=`mcookie`

+if [ ! ${LD_LIBRARY_PATH} ] || [ ! ${X2GO_LIB} ]
+then
+       LD_LIBRARY_PATH="${LD_LIBRARY_PATH}${X2GO_LIB}"
+else
+       LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${X2GO_LIB}"
+fi

-LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${X2GO_LIB}"
 export LD_LIBRARY_PATH

 PATH="${PATH}:${X2GO_BIN}/"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20120105/42166aec/attachment.html>