20 Jan
2011
20 Jan
'11
3:17 p.m.
Am 20.01.2011 15:39, schrieb Alexander Wuerstlein:
Forget that, /usr/bin/x2gopgwrapper is of course trivially exploitable to get root in 2 ways:
- in the current git version, set 'startshadowagent' as the first parameter. Choose the 11th parameter in a way such that SHADOW_USER is set to 'root'. Set the second parameter ($CLIENT) to something like 'foo ; rm -fr /'. Profit.
- in the git as well as the stable version, when the database is sqlite: the x2gopgwrapper_sqlite runs as root meaning that any sql injection into sqlite would run as root. One possible injection would set the sqlite output file to /etc/shadow (via .output /etc/shadow) and overwrite it with a customized version including a new root password chosen by the attacker. Profit.
I see, thank you Alexander. We'll fix it as quick as possible. Regards,
alex
Oleksandr Shneyder Dipl. Informatik X2go Core Developer Team
email: oleksandr.shneyder@obviously-nice.de web: www.obviously-nice.de
--> X2go - everywhere@home