[X2go-dev] x2go security Issues
John A. Sullivan III
jsullivan at opensourcedevel.com
Thu Jan 20 17:26:28 CET 2011
On Thu, 2011-01-20 at 16:17 +0100, Oleksandr Shneyder wrote:
> Am 20.01.2011 15:39, schrieb Alexander Wuerstlein:
>
> > Forget that, /usr/bin/x2gopgwrapper is of course trivially exploitable
> > to get root in 2 ways:
> > - in the current git version, set 'startshadowagent' as the first
> > parameter. Choose the 11th parameter in a way such that SHADOW_USER is
> > set to 'root'. Set the second parameter ($CLIENT) to something like
> > 'foo ; rm -fr /'. Profit.
> > - in the git as well as the stable version, when the database is sqlite:
> > the x2gopgwrapper_sqlite runs as root meaning that any sql injection
> > into sqlite would run as root. One possible injection would set the
> > sqlite output file to /etc/shadow (via .output /etc/shadow) and
> > overwrite it with a customized version including a new root password
> > chosen by the attacker. Profit.
>
> I see, thank you Alexander. We'll fix it as quick as possible.
> Regards,
<snip>
It has probably been roughly a year but I had posted some changes we
made because we were very uncomfortable calling PostgreSQL as postgres.
In fact, we combined it with our vserver work and eventually used user
based schemas so we could use a single database for any number of X2Go
Servers - John
More information about the x2go-dev
mailing list