[X2go-dev] x2go security Issues
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Thu Jan 20 23:57:21 CET 2011
Hi Alex,
On Do 20 Jan 2011 17:26:28 CET "John A. Sullivan III" wrote:
> On Thu, 2011-01-20 at 16:17 +0100, Oleksandr Shneyder wrote:
>> Am 20.01.2011 15:39, schrieb Alexander Wuerstlein:
>>
>> > Forget that, /usr/bin/x2gopgwrapper is of course trivially exploitable
>> > to get root in 2 ways:
>> > - in the current git version, set 'startshadowagent' as the first
>> > parameter. Choose the 11th parameter in a way such that SHADOW_USER is
>> > set to 'root'. Set the second parameter ($CLIENT) to something like
>> > 'foo ; rm -fr /'. Profit.
>> > - in the git as well as the stable version, when the database is sqlite:
>> > the x2gopgwrapper_sqlite runs as root meaning that any sql injection
>> > into sqlite would run as root. One possible injection would set the
>> > sqlite output file to /etc/shadow (via .output /etc/shadow) and
>> > overwrite it with a customized version including a new root password
>> > chosen by the attacker. Profit.
>>
>> I see, thank you Alexander. We'll fix it as quick as possible.
>> Regards,
> <snip>
> It has probably been roughly a year but I had posted some changes we
> made because we were very uncomfortable calling PostgreSQL as postgres.
> In fact, we combined it with our vserver work and eventually used user
> based schemas so we could use a single database for any number of X2Go
> Servers - John
John sent these patches (with docs!!!) to the list on 20100702. I had
taken a look at them then and they looked quite promising. They are
definitely worth looking at to address this issue.
Cheerio,
Mike
--
DAS-NETZWERKTEAM
mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: Digitale PGP-Unterschrift
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20110120/e5d751bd/attachment.pgp>
More information about the x2go-dev
mailing list