Hi All,
Dan Halbert made me aware of it being easily possible to inject
arbitrary data into X2Go Client via the server-side .bashrc file. This
surely is a security problem in X2Go.
Thus, I found that we really need to do some sanity checks on incoming
output from X2Go Servers to avoid such injections.
The idea is to invoke the server-side command with a UUID hash before
and after the actuall command invocation:
- execute server-side command from X2Go Client:
ssh <user>@<server> sh -c "echo <uuidhash> && <x2gocmd> && echo <uuidhash>
- read data from X2Go Server:
X2GODATABEGIN:<uuidhash> <x2godata_line1> <x2godata_line2> .... <x2godata_lineN> X2GODATAEND:<uuidhash>
cut out the X2Go data returned by the server (in C++):
QString begin_marker = "X2GODATABEGIN:"+uuid+"\n"; QString end_marker = "X2GODATAEND:"+uuid+"\n"; int output_begin=stdOutString.indexOf(begin_marker) + \\ begin_marker.length(); int output_end=stdOutString.indexOf(end_marker); output = stdOutString.mid(output_begin, \\ output_end-output_begin);
I have a patch locally for this and will commit it in a minute. We can
discuss the patch and move on from there when it's there.
Unfortunately, this patch does not fix #327 as it is impossible to use
scp with echoing .bashrc files. With this patch applied, the session
starts, but setting up the SSHfs shares fails with locking up X2Go
Client.
For people who depend on echoing .bashrc files, please read my last
post on #327.
Mike
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
clone #333 -1 reassign -1 python-x2go retitle -1 Users can inject arbitrary data into Pyhoca-GUI via .bashrc thanks
Hi All,
On Di 29 Okt 2013 13:36:14 CET, Mike Gabriel wrote:
Hi All,
Dan Halbert made me aware of it being easily possible to inject
arbitrary data into X2Go Client via the server-side .bashrc file.
This surely is a security problem in X2Go.Thus, I found that we really need to do some sanity checks on
incoming output from X2Go Servers to avoid such injections.The idea is to invoke the server-side command with a UUID hash
before and after the actuall command invocation:
- execute server-side command from X2Go Client:
ssh <user>@<server> sh -c "echo <uuidhash> && <x2gocmd> && echo <uuidhash>
- read data from X2Go Server:
X2GODATABEGIN:<uuidhash> <x2godata_line1> <x2godata_line2> .... <x2godata_lineN> X2GODATAEND:<uuidhash>
cut out the X2Go data returned by the server (in C++):
QString begin_marker = "X2GODATABEGIN:"+uuid+"\n"; QString end_marker = "X2GODATAEND:"+uuid+"\n"; int output_begin=stdOutString.indexOf(begin_marker) + \\ begin_marker.length(); int output_end=stdOutString.indexOf(end_marker); output = stdOutString.mid(output_begin, \\ output_end-output_begin);
I have a patch locally for this and will commit it in a minute. We
can discuss the patch and move on from there when it's there.Unfortunately, this patch does not fix #327 as it is impossible to
use scp with echoing .bashrc files. With this patch applied, the
session starts, but setting up the SSHfs shares fails with locking
up X2Go Client.For people who depend on echoing .bashrc files, please read my last
post on #327.Mike
This actually also applies to Python X2Go.
Mike
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Processing commands for control@bugs.x2go.org:
clone #333 -1 Bug #333 [x2goclient] users can inject data into X2Go Client using .bashrc Bug 333 cloned as bug 335 reassign -1 python-x2go Bug #335 [x2goclient] users can inject data into X2Go Client using .bashrc Bug reassigned from package 'x2goclient' to 'python-x2go'. No longer marked as found in versions 4.0.0.3. No longer marked as fixed in versions 4.0.1.2. retitle -1 Users can inject arbitrary data into Pyhoca-GUI via .bashrc Bug #335 [python-x2go] users can inject data into X2Go Client using .bashrc Changed Bug title to 'Users can inject arbitrary data into Pyhoca-GUI via .bashrc' from 'users can inject data into X2Go Client using .bashrc' thanks Stopping processing here.
Please contact me if you need assistance.
333: http://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=333 335: http://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=335 X2Go Bug Tracking System Contact owner@bugs.x2go.org with problems
-
Mike Gabriel -
owner@bugs.x2go.org