[X2Go-Dev] x2go and (none)security
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Sun May 19 15:19:31 CEST 2013
Hi all,
On Sa 18 Mai 2013 21:48:30 CEST Richard Weinberger wrote:
> while reviewing x2go I've encountered issues which scared hell out of me.
> The client seems to perform zero input validation. A rough server
> can easily crash the client
> and most likely execute arbitrary code.
> For example x2goSession ONMainWindow::getSessionFromString ( const
> QString& string ), it is feed with input from the server.
> ---
> QStringList lst=string.split ( '|' );
> x2goSession s;
> s.agentPid=lst[0];
> s.sessionId=lst[1];
> s.display=lst[2];
> s.server=lst[3];
> s.status=lst[4];
> s.crTime=lst[5];
> s.cookie=lst[6];
> s.clientIp=lst[7];
> s.grPort=lst[8];
> s.sndPort=lst[9];
> ---
> If a line from the server, does not enough "|" we end up with
> out-of-bound array access.
> The source is full with such issues.
Can you please file a bug against X2Go Client, so that we do not loose
this on the list. Those issues have to fixed. Please mark them as grave:
To: submit at bugs.x2go.org
Subject: <a-good-one>
"""
Package: x2goclient
Version: 4.0.1.0
Severity: grave
<your-bug-description>
"""
> Finally I've also looked at the server.
> In short, the 90's called, they want their setuid bugs back.
> x2gosqlitewrapper.c just wrong, anyone can make it executing
> whatever binary he wants with higher privileges.
This one Richard and I have fixed during last night. The issues were
present in X2Go Server and the broker agent in X2Go Session Broker.
Please upgrade X2Go Server ( -> 4.0.0.2) and X2Go Session Broker ( ->
0.0.2.1). This is highly recommended!!!
> But it's not only the code that worries me.
> On Windows the client executes per default sshd and x11. Both are
> listening on all available IP-Addresses.
> You silently install a user "sshuser" on Windows, which has the
> password of the currently logged in Windows user and give
> him a login shell.
Huuhhhh...
@Alex: this sounds wrong to me... isn't it possible to launch an SSH
daemon under the user's ID that is currently logged on (on some non-22
port)???
> I haven't seen such a trainwreck of software for a long time.
> By installing it on my system you've successfully backdoor'ed my
> clients and the server.
Let's continue working together to remove those trainwreck bits and
pieces and the X2Go possibly becomes suitable for you.
Improving X2Go...
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Unterschrift
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20130519/48a24b33/attachment.pgp>
More information about the x2go-dev
mailing list