[X2Go-Dev] Bug#258: Bug#258: Bug#258: SECURITY: x2goclient allows clipboard sniffing

Alexander Wuerstlein snalwuer at cip.informatik.uni-erlangen.de
Mon Jul 1 16:01:32 CEST 2013


On 13-07-01 15:03, Christoph Anton Mitterer <calestyo at scientia.net> wrote:
> On Mon, 2013-07-01 at 13:43 +0200, Alexander Wuerstlein wrote: 
> > Yes, other related tools like X11. x2go is basically just a faster
> > version of the traditional xforwarding. In X11 every client can always
> > access the clipboard/selection/etc., so you will also have the same
> > security problems (by design). E.g. 'ssh -X user at evilhost "xclip -o"'
> > demonstrates this.
> Well but that "argument" doesn't really count:
> 1) Just because others do it plainly insecure, you cannot do it like
> this as well... like as if Gentoo would say "if Debian breaks their
> OpenSSL entropy, we should do so, too"... o.O

It isn't like that at all, X11 clients and servers have to comply with
the respective parts of the protocol. If the protocol demands insecure
behaviour, its a design bug, or maybe, like in this case, a compromise
nobody likes: Since in X11 clients handle all the shortcuts and mouse
button events, since clients or toolkits handle the widgets, the only
option to implement C&P is to have clients ask the server for the
clipboard or selection contents. Its more a "there is no other way to do
it except to make it unusable" kind of problem imho.

> 2) Literally no one who has a decent mind of security, will allow other
> hosts do directly access their X server.. because then you're (security
> wise) anyway screwed...

I'm not only talking about 'xhost +' and the like, this would of course
be a major problem for more reasons than only the clipboard. And if you
wouldn't trust a host with 'ssh -X', then you also shouldn't trust it
with x2go. Just think of x2go as a variant of 'ssh -X' with image
compression and some extras. X11 protocol firewalling is not really one
of those extras. And since the x2goclient will always run in your local
X session, it will always be able to read your clipboard.

> And I thought NX would secure what's sent from remote in order to not
> being able to overtake the input/output devices of the hosts (whole)
> Xserver).

In a way, yes. Afaik you can avoid certain attacks of the "I'll attach
to the root window and get all key events" kind since windowed x2go
sessions give you a separate root window. But I imagine there are more
problems out there nobody thought of yet.



Ciao,

Alexander Wuerstlein.



More information about the x2go-dev mailing list