[X2Go-Dev] x2go and (none)security

Oleksandr Shneyder oleksandr.shneyder at obviously-nice.de
Tue May 21 12:18:01 CEST 2013 

Am 21.05.2013 11:01, schrieb Richard RW. Weinberger:
> ----- Ursprüngliche Mail -----
>>> From: Oleksandr Shneyder <oleksandr.shneyder at obviously-nice.de>
>>> Subject: Re: [X2Go-Dev] x2go and (none)security
>>> Date: 21. Mai 2013 10:40:45 MESZ
>>> To: x2go-dev at lists.berlios.de
>>> Cc: david at sigma-star.at, t.dierl at sigma-star.at
>>>
>>> Hello Richard,
>>>
>>> Am 18.05.2013 21:48, schrieb Richard Weinberger:
>>>> Hi x2go users/developers,
>>>>
>>>> while reviewing x2go I've encountered issues which scared hell out
>>>> of me.
>>>> The client seems to perform zero input validation. A rough server
>>>> can
>>>> easily crash the client
>>>> and most likely execute arbitrary code.
>>>> For example x2goSession ONMainWindow::getSessionFromString ( const
>>>> QString& string ), it is feed with input from the server.
>>>> ---
>>>>    QStringList lst=string.split ( '|' );
>>>>    x2goSession s;
>>>>    s.agentPid=lst[0];
>>>>    s.sessionId=lst[1];
>>>>    s.display=lst[2];
>>>>    s.server=lst[3];
>>>>    s.status=lst[4];
>>>>    s.crTime=lst[5];
>>>>    s.cookie=lst[6];
>>>>    s.clientIp=lst[7];
>>>>    s.grPort=lst[8];
>>>>    s.sndPort=lst[9];
>>>> ---
>>>> If a line from the server, does not enough "|" we end up with
>>>> out-of-bound array access.
>>>> The source is full with such issues.
>>>
>>> You are right, it is possible, that X2Go Client can be crashed with
>>> the
>>> wrong output from the server. This issue could (and should) be
>>> easily
>>> fixed by replacing operator "[n]" with method "value(n)". However,
>>> I
>>> don't think, that this issue is so dramatic as you described it.
>>> Why
>>> some one should open a SSH/X2GO connection to "rough" server? I
>>> didn't
>>> see such use case yet, when an administrator of server want to
>>> crash the
>>> client application on a machine of his user. If a user root on your
>>> Linux system is not an evil person, who want crash the X2Go Client
>>> on
>>> your desktop, you should not worry about this issue. But if you
>>> living
>>> in the world of BOFH, please don't use the X2Go Client until this
>>> issue
>>> will be fixed. I'll fix it very soon.
> 
> Every thought about client security?
> What happens if someone connects to another server?
> E.g. a support guys which need to connect to other customers.
> Using x2go you can take over his machine and sniff passwords to access
> other customers.
> 
>>>> Finally I've also looked at the server.
>>>> In short, the 90's calx2go-dev at lists.berlios.deled, they want their setuid bugs back.
>>>> x2gosqlitewrapper.c just wrong, anyone can make it executing
>>>> whatever
>>>> binary he wants with higher privileges.
>>>
>>> Sorry, I don't understand what are you talking about. I not found
>>> the
>>> file "x2gosqlitewrapper.c" in the source tree of package "x2go
>>> server".
>>> If you found a security problem in the recent x2goserver code,
>>> please
>>> open a bug report on bug tracker, describe the problem and show how
>>> it
>>> can be used. In best case show an example of exploit and send a bug
>>> fix.
>>> Saying "it is just wrong, anyone can do something" is just your
>>> opinion
>>> without any arguments.
> 
> I showed Mike already how the exploit works. He already released a fixed version
> of x2goserver and x2gobroker. Both contained the same broken code.
> If you don't understand the issue I'll happily explain it to you in private but I'll
> not post exploits on a public mailinglist.
> 
>>>
>>>> But it's not only the code that worries me.
>>>> On Windows the client executes per default sshd and x11. Both are
>>>> listening on all available IP-Addresses.
>>>
>>> Yes, this components are required by X2Go Client. This services are
>>> configured by default to listen all IP-Adresses. It is possible to
>>> configure them to listen for connections only on localhost, but I
>>> see it
>>> just as "nice to have" feature. Starting this services is not
>>> creating
>>> backdoor on the system, otherwise  most UNIX machines would be
>>> backdoor'ed, because they running same services. Furthermore, SSHD
>>> used
>>> by X2Go is running only with user privileges and opening an access
>>> for
>>> only one user and only shortly for each SSHFS connection. The rest
>>> time
>>> SSHD don't accept a SSH-connections. In addition, each Windows
>>> system
>>> have a firewall that by default configured to drop incoming
>>> TCP-connections. This make SSHD and X11 to be only accessible from
>>> localhost.
>>>
>>>
>>>
>>>> You silently install a user "sshuser" on Windows, which has the
>>>> password
>>>> of the currently logged in Windows user and give
>>>> him a login shell.
>>>
>>> This is so untrue! X2Go Client can not install users on Windows
>>> system.
> 
> So? You install cygwin with a passwd file that maps to Windows users.
> sshd.exe uses that passwd file and one can login via network.
> Of course you need to know the passwort. But you open a security risk
> just by making sshd and x11 listening on 0.0.0.0!
> 

Recent version of X2Go Client

http://code.x2go.org/releases/binary-win32/x2goclient/previews/4.0.1.0/x2goclient-4.0.1.0-pre02-setup.exe

not installing a passwd file and it is not possible to login on system
via network with user password.


>>> To be able to do something like that, X2Go Client must have an
>>> administrator privileges. All X2Go Client components running with
>>> user
>>> privileges. A SSHD open SSH access for current user and this is
>>> required
>>> for SSHFS, which used to export client directories to server. If
>>> you
>>> don't trust your server, just don't export your directories. And
>>> you
>>> should not do this, independent what kind of network FS are you
>>> using.
>>> It is always possible, that untrusted server can manipulate your
>>> data or
>>> credentials. It's impossible to open a SSH-Connection to your
>>> client
>>> until you don't exporting directories to server.
> 
> Then please make sshd listen on localhost and forward the ssh port to the Server...

This will break the LAN scenario, where X2Go Client is in same LAN as
X2Go Server and direct SSHFS connection can be established, which is
faster as a connection via reverse tunnel. By default SSH Port from
client is forwarded to server, and Windows firewall with default
settings dropping TCP-copnnections from network anyway. As long as
Windows user don't deactivate a Windows Firewall I don't see a security
risk here.


> 
>>>
>>>> I haven't seen such a trainwreck of software for a long time.
>>>> By installing it on my system you've successfully backdoor'ed my
>>>> clients
>>>> and the server.
>>>
>>> I appreciated your criticism, but writing something like that in
>>> the ML
>>> of a community project is just not respecting the work of people,
>>> who
>>> spent a lot of their time and costs to develop something useful for
>>> others.
> 
> I'm criticizing your code not you.
> If you cannot deal with that, not my problem.

I can deal with criticism, I don't like the way you did it.

regards,
Alex

> Thanks,
> //richard


-- 
Oleksandr Shneyder
Dipl. Informatik
X2go Core Developer Team

email:  oleksandr.shneyder at obviously-nice.de
web: www.obviously-nice.de

--> X2go - everywhere at home

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20130521/1be982aa/attachment.pgp>

More information about the x2go-dev mailing list