[X2Go-Dev] x2go and (none)security

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Sun May 19 15:19:31 CEST 2013 

Hi all,

On Sa 18 Mai 2013 21:48:30 CEST Richard Weinberger wrote:

> while reviewing x2go I've encountered issues which scared hell out of me.
> The client seems to perform zero input validation. A rough server  
> can easily crash the client
> and most likely execute arbitrary code.
> For example x2goSession ONMainWindow::getSessionFromString ( const  
> QString& string ), it is feed with input from the server.
> ---
>     QStringList lst=string.split ( '|' );
>     x2goSession s;
>     s.agentPid=lst[0];
>     s.sessionId=lst[1];
>     s.display=lst[2];
>     s.server=lst[3];
>     s.status=lst[4];
>     s.crTime=lst[5];
>     s.cookie=lst[6];
>     s.clientIp=lst[7];
>     s.grPort=lst[8];
>     s.sndPort=lst[9];
> ---
> If a line from the server, does not enough "|" we end up with  
> out-of-bound array access.
> The source is full with such issues.

Can you please file a bug against X2Go Client, so that we do not loose  
this on the list. Those issues have to fixed. Please mark them as grave:

To: submit at bugs.x2go.org
Subject: <a-good-one>
"""
Package: x2goclient
Version: 4.0.1.0
Severity: grave

<your-bug-description>
"""

> Finally I've also looked at the server.
> In short, the 90's called, they want their setuid bugs back.
> x2gosqlitewrapper.c just wrong, anyone can make it executing  
> whatever binary he wants with higher privileges.

This one Richard and I have fixed during last night. The issues were  
present in X2Go Server and the broker agent in X2Go Session Broker.  
Please upgrade X2Go Server ( -> 4.0.0.2) and X2Go Session Broker ( ->  
0.0.2.1). This is highly recommended!!!

> But it's not only the code that worries me.
> On Windows the client executes per default sshd and x11. Both are  
> listening on all available IP-Addresses.
> You silently install a user "sshuser" on Windows, which has the  
> password of the currently logged in Windows user and give
> him a login shell.

Huuhhhh...

@Alex: this sounds wrong to me... isn't it possible to launch an SSH  
daemon under the user's ID that is currently logged on (on some non-22  
port)???

> I haven't seen such a trainwreck of software for a long time.
> By installing it on my system you've successfully backdoor'ed my  
> clients and the server.

Let's continue working together to remove those trainwreck bits and  
pieces and the X2Go possibly becomes suitable for you.

Improving X2Go...
Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Unterschrift
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20130519/48a24b33/attachment.pgp>

More information about the x2go-dev mailing list