Hi all,
On Sa 18 Mai 2013 21:48:30 CEST Richard Weinberger wrote:
while reviewing x2go I've encountered issues which scared hell out of me. The client seems to perform zero input validation. A rough server
can easily crash the client and most likely execute arbitrary code. For example x2goSession ONMainWindow::getSessionFromString ( const
QString& string ), it is feed with input from the server.QStringList lst=string.split ( '|' ); x2goSession s; s.agentPid=lst[0]; s.sessionId=lst[1]; s.display=lst[2]; s.server=lst[3]; s.status=lst[4]; s.crTime=lst[5]; s.cookie=lst[6]; s.clientIp=lst[7]; s.grPort=lst[8]; s.sndPort=lst[9];
If a line from the server, does not enough "|" we end up with
out-of-bound array access. The source is full with such issues.
Can you please file a bug against X2Go Client, so that we do not loose
this on the list. Those issues have to fixed. Please mark them as grave:
To: submit@bugs.x2go.org Subject: <a-good-one> """ Package: x2goclient Version: 4.0.1.0 Severity: grave
<your-bug-description> """
Finally I've also looked at the server. In short, the 90's called, they want their setuid bugs back. x2gosqlitewrapper.c just wrong, anyone can make it executing
whatever binary he wants with higher privileges.
This one Richard and I have fixed during last night. The issues were
present in X2Go Server and the broker agent in X2Go Session Broker.
Please upgrade X2Go Server ( -> 4.0.0.2) and X2Go Session Broker ( ->
0.0.2.1). This is highly recommended!!!
But it's not only the code that worries me. On Windows the client executes per default sshd and x11. Both are
listening on all available IP-Addresses. You silently install a user "sshuser" on Windows, which has the
password of the currently logged in Windows user and give him a login shell.
Huuhhhh...
@Alex: this sounds wrong to me... isn't it possible to launch an SSH
daemon under the user's ID that is currently logged on (on some non-22
port)???
I haven't seen such a trainwreck of software for a long time. By installing it on my system you've successfully backdoor'ed my
clients and the server.
Let's continue working together to remove those trainwreck bits and
pieces and the X2Go possibly becomes suitable for you.
Improving X2Go... Mike
--
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...