----- Ursprüngliche Mail -----
From: Oleksandr Shneyder <oleksandr.shneyder@obviously-nice.de> Subject: Re: [X2Go-Dev] x2go and (none)security Date: 21. Mai 2013 10:40:45 MESZ To: x2go-dev@lists.berlios.de Cc: david@sigma-star.at, t.dierl@sigma-star.at
Hello Richard,
Am 18.05.2013 21:48, schrieb Richard Weinberger:
Hi x2go users/developers,
while reviewing x2go I've encountered issues which scared hell out of me. The client seems to perform zero input validation. A rough server can easily crash the client and most likely execute arbitrary code. For example x2goSession ONMainWindow::getSessionFromString ( const QString& string ), it is feed with input from the server.
QStringList lst=string.split ( '|' ); x2goSession s; s.agentPid=lst[0]; s.sessionId=lst[1]; s.display=lst[2]; s.server=lst[3]; s.status=lst[4]; s.crTime=lst[5]; s.cookie=lst[6]; s.clientIp=lst[7]; s.grPort=lst[8]; s.sndPort=lst[9];
If a line from the server, does not enough "|" we end up with out-of-bound array access. The source is full with such issues.
You are right, it is possible, that X2Go Client can be crashed with the wrong output from the server. This issue could (and should) be easily fixed by replacing operator "[n]" with method "value(n)". However, I don't think, that this issue is so dramatic as you described it. Why some one should open a SSH/X2GO connection to "rough" server? I didn't see such use case yet, when an administrator of server want to crash the client application on a machine of his user. If a user root on your Linux system is not an evil person, who want crash the X2Go Client on your desktop, you should not worry about this issue. But if you living in the world of BOFH, please don't use the X2Go Client until this issue will be fixed. I'll fix it very soon.
Every thought about client security? What happens if someone connects to another server? E.g. a support guys which need to connect to other customers. Using x2go you can take over his machine and sniff passwords to access other customers.
Finally I've also looked at the server. In short, the 90's calx2go-dev@lists.berlios.deled, they want their setuid bugs back. x2gosqlitewrapper.c just wrong, anyone can make it executing whatever binary he wants with higher privileges.
Sorry, I don't understand what are you talking about. I not found the file "x2gosqlitewrapper.c" in the source tree of package "x2go server". If you found a security problem in the recent x2goserver code, please open a bug report on bug tracker, describe the problem and show how it can be used. In best case show an example of exploit and send a bug fix. Saying "it is just wrong, anyone can do something" is just your opinion without any arguments.
I showed Mike already how the exploit works. He already released a fixed version of x2goserver and x2gobroker. Both contained the same broken code. If you don't understand the issue I'll happily explain it to you in private but I'll not post exploits on a public mailinglist.
But it's not only the code that worries me. On Windows the client executes per default sshd and x11. Both are listening on all available IP-Addresses.
Yes, this components are required by X2Go Client. This services are configured by default to listen all IP-Adresses. It is possible to configure them to listen for connections only on localhost, but I see it just as "nice to have" feature. Starting this services is not creating backdoor on the system, otherwise most UNIX machines would be backdoor'ed, because they running same services. Furthermore, SSHD used by X2Go is running only with user privileges and opening an access for only one user and only shortly for each SSHFS connection. The rest time SSHD don't accept a SSH-connections. In addition, each Windows system have a firewall that by default configured to drop incoming TCP-connections. This make SSHD and X11 to be only accessible from localhost.
You silently install a user "sshuser" on Windows, which has the password of the currently logged in Windows user and give him a login shell.
This is so untrue! X2Go Client can not install users on Windows system.
So? You install cygwin with a passwd file that maps to Windows users. sshd.exe uses that passwd file and one can login via network. Of course you need to know the passwort. But you open a security risk just by making sshd and x11 listening on 0.0.0.0!
To be able to do something like that, X2Go Client must have an administrator privileges. All X2Go Client components running with user privileges. A SSHD open SSH access for current user and this is required for SSHFS, which used to export client directories to server. If you don't trust your server, just don't export your directories. And you should not do this, independent what kind of network FS are you using. It is always possible, that untrusted server can manipulate your data or credentials. It's impossible to open a SSH-Connection to your client until you don't exporting directories to server.
Then please make sshd listen on localhost and forward the ssh port to the Server...
I haven't seen such a trainwreck of software for a long time. By installing it on my system you've successfully backdoor'ed my clients and the server.
I appreciated your criticism, but writing something like that in the ML of a community project is just not respecting the work of people, who spent a lot of their time and costs to develop something useful for others.
I'm criticizing your code not you. If you cannot deal with that, not my problem.
Thanks, //richard
Am 21.05.2013 11:01, schrieb Richard RW. Weinberger:
----- Ursprüngliche Mail -----
From: Oleksandr Shneyder <oleksandr.shneyder@obviously-nice.de> Subject: Re: [X2Go-Dev] x2go and (none)security Date: 21. Mai 2013 10:40:45 MESZ To: x2go-dev@lists.berlios.de Cc: david@sigma-star.at, t.dierl@sigma-star.at
Hello Richard,
Am 18.05.2013 21:48, schrieb Richard Weinberger:
Hi x2go users/developers,
while reviewing x2go I've encountered issues which scared hell out of me. The client seems to perform zero input validation. A rough server can easily crash the client and most likely execute arbitrary code. For example x2goSession ONMainWindow::getSessionFromString ( const QString& string ), it is feed with input from the server.
QStringList lst=string.split ( '|' ); x2goSession s; s.agentPid=lst[0]; s.sessionId=lst[1]; s.display=lst[2]; s.server=lst[3]; s.status=lst[4]; s.crTime=lst[5]; s.cookie=lst[6]; s.clientIp=lst[7]; s.grPort=lst[8]; s.sndPort=lst[9];
If a line from the server, does not enough "|" we end up with out-of-bound array access. The source is full with such issues.
You are right, it is possible, that X2Go Client can be crashed with the wrong output from the server. This issue could (and should) be easily fixed by replacing operator "[n]" with method "value(n)". However, I don't think, that this issue is so dramatic as you described it. Why some one should open a SSH/X2GO connection to "rough" server? I didn't see such use case yet, when an administrator of server want to crash the client application on a machine of his user. If a user root on your Linux system is not an evil person, who want crash the X2Go Client on your desktop, you should not worry about this issue. But if you living in the world of BOFH, please don't use the X2Go Client until this issue will be fixed. I'll fix it very soon.
Every thought about client security? What happens if someone connects to another server? E.g. a support guys which need to connect to other customers. Using x2go you can take over his machine and sniff passwords to access other customers.
Finally I've also looked at the server. In short, the 90's calx2go-dev@lists.berlios.deled, they want their setuid bugs back. x2gosqlitewrapper.c just wrong, anyone can make it executing whatever binary he wants with higher privileges.
Sorry, I don't understand what are you talking about. I not found the file "x2gosqlitewrapper.c" in the source tree of package "x2go server". If you found a security problem in the recent x2goserver code, please open a bug report on bug tracker, describe the problem and show how it can be used. In best case show an example of exploit and send a bug fix. Saying "it is just wrong, anyone can do something" is just your opinion without any arguments.
I showed Mike already how the exploit works. He already released a fixed version of x2goserver and x2gobroker. Both contained the same broken code. If you don't understand the issue I'll happily explain it to you in private but I'll not post exploits on a public mailinglist.
But it's not only the code that worries me. On Windows the client executes per default sshd and x11. Both are listening on all available IP-Addresses.
Yes, this components are required by X2Go Client. This services are configured by default to listen all IP-Adresses. It is possible to configure them to listen for connections only on localhost, but I see it just as "nice to have" feature. Starting this services is not creating backdoor on the system, otherwise most UNIX machines would be backdoor'ed, because they running same services. Furthermore, SSHD used by X2Go is running only with user privileges and opening an access for only one user and only shortly for each SSHFS connection. The rest time SSHD don't accept a SSH-connections. In addition, each Windows system have a firewall that by default configured to drop incoming TCP-connections. This make SSHD and X11 to be only accessible from localhost.
You silently install a user "sshuser" on Windows, which has the password of the currently logged in Windows user and give him a login shell.
This is so untrue! X2Go Client can not install users on Windows system.
So? You install cygwin with a passwd file that maps to Windows users. sshd.exe uses that passwd file and one can login via network. Of course you need to know the passwort. But you open a security risk just by making sshd and x11 listening on 0.0.0.0!
Recent version of X2Go Client
http://code.x2go.org/releases/binary-win32/x2goclient/previews/4.0.1.0/x2goc...
not installing a passwd file and it is not possible to login on system via network with user password.
To be able to do something like that, X2Go Client must have an administrator privileges. All X2Go Client components running with user privileges. A SSHD open SSH access for current user and this is required for SSHFS, which used to export client directories to server. If you don't trust your server, just don't export your directories. And you should not do this, independent what kind of network FS are you using. It is always possible, that untrusted server can manipulate your data or credentials. It's impossible to open a SSH-Connection to your client until you don't exporting directories to server.
Then please make sshd listen on localhost and forward the ssh port to the Server...
This will break the LAN scenario, where X2Go Client is in same LAN as X2Go Server and direct SSHFS connection can be established, which is faster as a connection via reverse tunnel. By default SSH Port from client is forwarded to server, and Windows firewall with default settings dropping TCP-copnnections from network anyway. As long as Windows user don't deactivate a Windows Firewall I don't see a security risk here.
I haven't seen such a trainwreck of software for a long time. By installing it on my system you've successfully backdoor'ed my clients and the server.
I appreciated your criticism, but writing something like that in the ML of a community project is just not respecting the work of people, who spent a lot of their time and costs to develop something useful for others.
I'm criticizing your code not you. If you cannot deal with that, not my problem.
I can deal with criticism, I don't like the way you did it.
regards, Alex
Thanks, //richard
-- Oleksandr Shneyder Dipl. Informatik X2go Core Developer Team
email: oleksandr.shneyder@obviously-nice.de web: www.obviously-nice.de
--> X2go - everywhere@home
----- Ursprüngliche Mail -----
Am 21.05.2013 11:01, schrieb Richard RW. Weinberger:
----- Ursprüngliche Mail -----
From: Oleksandr Shneyder <oleksandr.shneyder@obviously-nice.de> Subject: Re: [X2Go-Dev] x2go and (none)security Date: 21. Mai 2013 10:40:45 MESZ To: x2go-dev@lists.berlios.de Cc: david@sigma-star.at, t.dierl@sigma-star.at
Hello Richard,
Am 18.05.2013 21:48, schrieb Richard Weinberger:
Hi x2go users/developers,
while reviewing x2go I've encountered issues which scared hell out of me. The client seems to perform zero input validation. A rough server can easily crash the client and most likely execute arbitrary code. For example x2goSession ONMainWindow::getSessionFromString ( const QString& string ), it is feed with input from the server.
QStringList lst=string.split ( '|' ); x2goSession s; s.agentPid=lst[0]; s.sessionId=lst[1]; s.display=lst[2]; s.server=lst[3]; s.status=lst[4]; s.crTime=lst[5]; s.cookie=lst[6]; s.clientIp=lst[7]; s.grPort=lst[8]; s.sndPort=lst[9];
If a line from the server, does not enough "|" we end up with out-of-bound array access. The source is full with such issues.
You are right, it is possible, that X2Go Client can be crashed with the wrong output from the server. This issue could (and should) be easily fixed by replacing operator "[n]" with method "value(n)". However, I don't think, that this issue is so dramatic as you described it. Why some one should open a SSH/X2GO connection to "rough" server? I didn't see such use case yet, when an administrator of server want to crash the client application on a machine of his user. If a user root on your Linux system is not an evil person, who want crash the X2Go Client on your desktop, you should not worry about this issue. But if you living in the world of BOFH, please don't use the X2Go Client until this issue will be fixed. I'll fix it very soon.
Every thought about client security? What happens if someone connects to another server? E.g. a support guys which need to connect to other customers. Using x2go you can take over his machine and sniff passwords to access other customers.
Finally I've also looked at the server. In short, the 90's calx2go-dev@lists.berlios.deled, they want their setuid bugs back. x2gosqlitewrapper.c just wrong, anyone can make it executing whatever binary he wants with higher privileges.
Sorry, I don't understand what are you talking about. I not found the file "x2gosqlitewrapper.c" in the source tree of package "x2go server". If you found a security problem in the recent x2goserver code, please open a bug report on bug tracker, describe the problem and show how it can be used. In best case show an example of exploit and send a bug fix. Saying "it is just wrong, anyone can do something" is just your opinion without any arguments.
I showed Mike already how the exploit works. He already released a fixed version of x2goserver and x2gobroker. Both contained the same broken code. If you don't understand the issue I'll happily explain it to you in private but I'll not post exploits on a public mailinglist.
But it's not only the code that worries me. On Windows the client executes per default sshd and x11. Both are listening on all available IP-Addresses.
Yes, this components are required by X2Go Client. This services are configured by default to listen all IP-Adresses. It is possible to configure them to listen for connections only on localhost, but I see it just as "nice to have" feature. Starting this services is not creating backdoor on the system, otherwise most UNIX machines would be backdoor'ed, because they running same services. Furthermore, SSHD used by X2Go is running only with user privileges and opening an access for only one user and only shortly for each SSHFS connection. The rest time SSHD don't accept a SSH-connections. In addition, each Windows system have a firewall that by default configured to drop incoming TCP-connections. This make SSHD and X11 to be only accessible from localhost.
You silently install a user "sshuser" on Windows, which has the password of the currently logged in Windows user and give him a login shell.
This is so untrue! X2Go Client can not install users on Windows system.
So? You install cygwin with a passwd file that maps to Windows users. sshd.exe uses that passwd file and one can login via network. Of course you need to know the passwort. But you open a security risk just by making sshd and x11 listening on 0.0.0.0!
Recent version of X2Go Client
http://code.x2go.org/releases/binary-win32/x2goclient/previews/4.0.1.0/x2goc...
not installing a passwd file and it is not possible to login on system via network with user password.
I've used the binary http://code.x2go.org/releases/X2GoClient_latest_mswin32-setup.exe. Link from here: http://wiki.x2go.org/doku.php/start
If this is not the current stable version, please update the link.
To be able to do something like that, X2Go Client must have an administrator privileges. All X2Go Client components running with user privileges. A SSHD open SSH access for current user and this is required for SSHFS, which used to export client directories to server. If you don't trust your server, just don't export your directories. And you should not do this, independent what kind of network FS are you using. It is always possible, that untrusted server can manipulate your data or credentials. It's impossible to open a SSH-Connection to your client until you don't exporting directories to server.
Then please make sshd listen on localhost and forward the ssh port to the Server...
This will break the LAN scenario, where X2Go Client is in same LAN as X2Go Server and direct SSHFS connection can be established, which is faster as a connection via reverse tunnel. By default SSH Port from client is forwarded to server, and Windows firewall with default settings dropping TCP-copnnections from network anyway. As long as Windows user don't deactivate a Windows Firewall I don't see a security risk here.
There are lot's of Windows-Setups without a Windows Firewall. And if you start sshd.exe the Firewall will ask you if that's ok. *Every* user will say "Yes!!!" and the Firewall allows sshd.exe to listen.
It may work with the most current Windows Firewall because it knows different zones. But still it is IMHO very bad to run sshd on the client.
I haven't seen such a trainwreck of software for a long time. By installing it on my system you've successfully backdoor'ed my clients and the server.
I appreciated your criticism, but writing something like that in the ML of a community project is just not respecting the work of people, who spent a lot of their time and costs to develop something useful for others.
I'm criticizing your code not you. If you cannot deal with that, not my problem.
I can deal with criticism, I don't like the way you did it.
Sorry, that's life. :-)
Thanks, //richard
Am 21.05.2013 12:29, schrieb Richard RW. Weinberger:
I'm criticizing your code not you. If you cannot deal with that, not my problem.
I can deal with criticism, I don't like the way you did it. Sorry, that's life.:-)
No. The tone of your messages is bordering on insulting. The fact that you claim you don't attack Alex personally doesn't make it any better, it's still inappropriate. While I agree with you that Alex might not have grasped the severity of the issue in full, there is no need to come across like that.
"But I am right!!11!!oneoneeleven!" is no justification to forget your manners.
So, please keep it civil. We *are* interested in your *constructive* criticism.
I've had personal disagreements with Alex before (on- and off-list), but whenever he disagrees with me, I take it as a sign that *I* failed to explain myself properly, not as a sign that he is too dumb to understand or simply unwilling. Maybe you should try a similar approach.
Kind Regards, Stefan
Hi Stefan, Richard, Alex, et al.
On Di 21 Mai 2013 16:46:09 CEST Stefan Baur wrote:
Am 21.05.2013 12:29, schrieb Richard RW. Weinberger:
I'm criticizing your code not you. If you cannot deal with that, not my problem.
I can deal with criticism, I don't like the way you did it. Sorry, that's life.:-)
No. The tone of your messages is bordering on insulting. The fact
that you claim you don't attack Alex personally doesn't make it any
better, it's still inappropriate. While I agree with you that Alex might not have grasped the severity
of the issue in full, there is no need to come across like that."But I am right!!11!!oneoneeleven!" is no justification to forget
your manners.So, please keep it civil. We *are* interested in your *constructive*
criticism.I've had personal disagreements with Alex before (on- and off-list),
but whenever he disagrees with me, I take it as a sign that *I*
failed to explain myself properly, not as a sign that he is too dumb
to understand or simply unwilling. Maybe you should try a similar
approach.
I just caught up with this thread now and I must say I'd also
appreciate a great deal more politeness from you, Richard. Thanks to
Stefan for being so clear on this. 100% +1 from my side.
Richard, if your intention is to make a contribution (and by that: a
difference) to X2Go (and not only a highly-competent short-term noise)
then make sure people want to listen to your opinion and that we all
have fun working together on the project.
Looking forward to constructively getting to work on the
open/addressed issues...
Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
-
Mike Gabriel -
Oleksandr Shneyder -
Richard RW. Weinberger -
Stefan Baur