[X2go-dev] x2go security Issues
Oleksandr Shneyder
oleksandr.shneyder at obviously-nice.de
Thu Jan 20 16:17:07 CET 2011
Am 20.01.2011 15:39, schrieb Alexander Wuerstlein:
> Forget that, /usr/bin/x2gopgwrapper is of course trivially exploitable
> to get root in 2 ways:
> - in the current git version, set 'startshadowagent' as the first
> parameter. Choose the 11th parameter in a way such that SHADOW_USER is
> set to 'root'. Set the second parameter ($CLIENT) to something like
> 'foo ; rm -fr /'. Profit.
> - in the git as well as the stable version, when the database is sqlite:
> the x2gopgwrapper_sqlite runs as root meaning that any sql injection
> into sqlite would run as root. One possible injection would set the
> sqlite output file to /etc/shadow (via .output /etc/shadow) and
> overwrite it with a customized version including a new root password
> chosen by the attacker. Profit.
I see, thank you Alexander. We'll fix it as quick as possible.
Regards,
alex
--
Oleksandr Shneyder
Dipl. Informatik
X2go Core Developer Team
email: oleksandr.shneyder at obviously-nice.de
web: www.obviously-nice.de
--> X2go - everywhere at home
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20110120/c03a4e9f/attachment.pgp>
More information about the x2go-dev
mailing list