Hi, There is an untrusted library search path vulnerability in x2gostartagent. Lines 188,189 in /usr/bin/x2gostartagent in the Ubuntu PPA package say: LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${X2GO_LIB}" export LD_LIBRARY_PATH If one of these are empty, then there will be an empty addendum to LD_LIBRARY_PATH, which will make ld search for libraries in the current working directory. Programs xauth, x2goserver-run-extensions and x2gofeature (and the programs further spawned by them, including perl, basename, find, grep, sort, bash etc.) are launched with this insecure LD_LIBRARY_PATH. Thus, the current working directory will be searched for shared libraries when this command is launched. Usually, x2gostartagent is launched over ssh, and the current working directory will be the user's home directory. The problem is that if a user is tricked into downloading a malicious library off the Internet and saves it into his home directory, this malicious library will be loaded and can take control of the user's process when an x2go session is launched. The fix is simply to check if either LD_LIBRARY_PATH or X2GO_LIB are empty. I am pasting the patch below. Please keep me updated on this issue. Thanks, Hayawardh Vijayakumar --- /usr/bin/x2gostartagent 2012-01-05 17:48:07.843705023 -0500 +++ /usr/bin/x2gostartagent.fixed 2012-01-05 16:44:41.839705377 -0500 @@ -184,8 +184,13 @@ X2GO_COOKIE=`mcookie` +if [ ! ${LD_LIBRARY_PATH} ] || [ ! ${X2GO_LIB} ] +then + LD_LIBRARY_PATH="${LD_LIBRARY_PATH}${X2GO_LIB}" +else + LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${X2GO_LIB}" +fi -LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${X2GO_LIB}" export LD_LIBRARY_PATH PATH="${PATH}:${X2GO_BIN}/"
Hi Hayawardh, On Fr 06 Jan 2012 00:26:29 CET Hayawardh V wrote:
Hi,
There is an untrusted library search path vulnerability in x2gostartagent.
Lines 188,189 in /usr/bin/x2gostartagent in the Ubuntu PPA package say:
LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${X2GO_LIB}" export LD_LIBRARY_PATH
If one of these are empty, then there will be an empty addendum to LD_LIBRARY_PATH, which will make ld search for libraries in the current working directory.
Programs xauth, x2goserver-run-extensions and x2gofeature (and the programs further spawned by them, including perl, basename, find, grep, sort, bash etc.) are launched with this insecure LD_LIBRARY_PATH.
Thus, the current working directory will be searched for shared libraries when this command is launched.
Usually, x2gostartagent is launched over ssh, and the current working directory will be the user's home directory.
The problem is that if a user is tricked into downloading a malicious library off the Internet and saves it into his home directory, this malicious library will be loaded and can take control of the user's process when an x2go session is launched.
The fix is simply to check if either LD_LIBRARY_PATH or X2GO_LIB are empty. I am pasting the patch below.
Please keep me updated on this issue.
Thanks, Hayawardh Vijayakumar
--- /usr/bin/x2gostartagent 2012-01-05 17:48:07.843705023 -0500 +++ /usr/bin/x2gostartagent.fixed 2012-01-05 16:44:41.839705377 -0500 @@ -184,8 +184,13 @@
X2GO_COOKIE=`mcookie`
+if [ ! ${LD_LIBRARY_PATH} ] || [ ! ${X2GO_LIB} ] +then
LD_LIBRARY_PATH="${LD_LIBRARY_PATH}${X2GO_LIB}"LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${X2GO_LIB}"-LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${X2GO_LIB}" export LD_LIBRARY_PATH
PATH="${PATH}:${X2GO_BIN}/"
Very sensible patch!!! Just committed... Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Hi Mike, Thanks for your prompt reply and patching! Regards, Hayawardh On Fri, Jan 6, 2012 at 1:55 PM, Mike Gabriel < mike.gabriel@das-netzwerkteam.de> wrote:
Hi Hayawardh,
On Fr 06 Jan 2012 00:26:29 CET Hayawardh V wrote:
Hi,
There is an untrusted library search path vulnerability in x2gostartagent.
Lines 188,189 in /usr/bin/x2gostartagent in the Ubuntu PPA package say:
LD_LIBRARY_PATH="${LD_LIBRARY_**PATH}:${X2GO_LIB}" export LD_LIBRARY_PATH
If one of these are empty, then there will be an empty addendum to LD_LIBRARY_PATH, which will make ld search for libraries in the current working directory.
Programs xauth, x2goserver-run-extensions and x2gofeature (and the programs further spawned by them, including perl, basename, find, grep, sort, bash etc.) are launched with this insecure LD_LIBRARY_PATH.
Thus, the current working directory will be searched for shared libraries when this command is launched.
Usually, x2gostartagent is launched over ssh, and the current working directory will be the user's home directory.
The problem is that if a user is tricked into downloading a malicious library off the Internet and saves it into his home directory, this malicious library will be loaded and can take control of the user's process when an x2go session is launched.
The fix is simply to check if either LD_LIBRARY_PATH or X2GO_LIB are empty. I am pasting the patch below.
Please keep me updated on this issue.
Thanks, Hayawardh Vijayakumar
--- /usr/bin/x2gostartagent 2012-01-05 17:48:07.843705023 -0500 +++ /usr/bin/x2gostartagent.fixed 2012-01-05 16:44:41.839705377 -0500 @@ -184,8 +184,13 @@
X2GO_COOKIE=`mcookie`
+if [ ! ${LD_LIBRARY_PATH} ] || [ ! ${X2GO_LIB} ] +then
LD_LIBRARY_PATH="${LD_LIBRARY_**PATH}${X2GO_LIB}"LD_LIBRARY_PATH="${LD_LIBRARY_**PATH}:${X2GO_LIB}"-LD_LIBRARY_PATH="${LD_**LIBRARY_PATH}:${X2GO_LIB}" export LD_LIBRARY_PATH
PATH="${PATH}:${X2GO_BIN}/"
Very sensible patch!!! Just committed...
Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.**de<mike.gabriel@das-netzwerkteam.de>, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.**de/freebusy/m.gabriel%40das-** netzwerkteam.de.xfb<https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb>
X2go-Dev mailing list X2go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
Hi Hayawardh
On Sa 07 Jan 2012 03:34:53 CET Hayawardh V wrote:
Hi Mike,
Thanks for your prompt reply and patching!
Regards, Hayawardh
I have removed the LD_LIBRARY_PATH tweaking now completely
(considering it as cruft) from x2gostartagent as it is handled within
the x2goagent wrapper script:
http://code.x2go.org/gitweb?p=x2goagent.git;a=blob;f=debian/x2goagent.sh;h=c...
An x2goserver Debian package is currently building and will be
available soon in our nightly/heuler package repository soon.
Thanks for bringing this issue up! Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
-
Hayawardh V -
Mike Gabriel