[X2go-Dev] Untrusted library search path in x2gostartagent bash script

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Fri Jan 6 19:55:29 CET 2012 

Hi Hayawardh,

On Fr 06 Jan 2012 00:26:29 CET Hayawardh V wrote:

> Hi,
>
> There is an untrusted library search path vulnerability in x2gostartagent.
>
> Lines 188,189 in /usr/bin/x2gostartagent in the Ubuntu PPA package say:
>
> LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${X2GO_LIB}"
> export LD_LIBRARY_PATH
>
> If one of these are empty, then there will be an empty addendum to
> LD_LIBRARY_PATH, which will make ld search for libraries in the current
> working directory.
>
> Programs xauth, x2goserver-run-extensions and x2gofeature (and the programs
> further spawned by them, including perl, basename, find, grep, sort, bash
> etc.) are launched with this insecure LD_LIBRARY_PATH.
>
> Thus, the current working directory will be searched for shared libraries
> when this command is launched.
>
> Usually, x2gostartagent is launched over ssh, and the current working
> directory will be the user's home directory.
>
> The problem is that if a user is tricked into downloading a malicious
> library off the Internet and saves it into his home directory, this
> malicious library will be loaded and can take control of the user's process
> when an x2go session is launched.
>
> The fix is simply to check if either LD_LIBRARY_PATH or X2GO_LIB are empty.
> I am pasting the patch below.
>
> Please keep me updated on this issue.
>
> Thanks,
> Hayawardh Vijayakumar
>
> --- /usr/bin/x2gostartagent     2012-01-05 17:48:07.843705023 -0500
> +++ /usr/bin/x2gostartagent.fixed       2012-01-05 16:44:41.839705377 -0500
> @@ -184,8 +184,13 @@
>
>  X2GO_COOKIE=`mcookie`
>
> +if [ ! ${LD_LIBRARY_PATH} ] || [ ! ${X2GO_LIB} ]
> +then
> +       LD_LIBRARY_PATH="${LD_LIBRARY_PATH}${X2GO_LIB}"
> +else
> +       LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${X2GO_LIB}"
> +fi
>
> -LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${X2GO_LIB}"
>  export LD_LIBRARY_PATH
>
>  PATH="${PATH}:${X2GO_BIN}/"
>

Very sensible patch!!! Just committed...

Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419

GnuPG Key ID 0xB588399B
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: Digitale PGP-Unterschrift
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20120106/a60bc583/attachment.pgp>

More information about the x2go-dev mailing list