[X2go-Dev] Untrusted library search path in x2gostartagent bash script
Hayawardh V
hayawardh at gmail.com
Sat Jan 7 03:34:53 CET 2012
Hi Mike,
Thanks for your prompt reply and patching!
Regards,
Hayawardh
On Fri, Jan 6, 2012 at 1:55 PM, Mike Gabriel <
mike.gabriel at das-netzwerkteam.de> wrote:
> Hi Hayawardh,
>
>
> On Fr 06 Jan 2012 00:26:29 CET Hayawardh V wrote:
>
> Hi,
>>
>> There is an untrusted library search path vulnerability in x2gostartagent.
>>
>> Lines 188,189 in /usr/bin/x2gostartagent in the Ubuntu PPA package say:
>>
>> LD_LIBRARY_PATH="${LD_LIBRARY_**PATH}:${X2GO_LIB}"
>> export LD_LIBRARY_PATH
>>
>> If one of these are empty, then there will be an empty addendum to
>> LD_LIBRARY_PATH, which will make ld search for libraries in the current
>> working directory.
>>
>> Programs xauth, x2goserver-run-extensions and x2gofeature (and the
>> programs
>> further spawned by them, including perl, basename, find, grep, sort, bash
>> etc.) are launched with this insecure LD_LIBRARY_PATH.
>>
>> Thus, the current working directory will be searched for shared libraries
>> when this command is launched.
>>
>> Usually, x2gostartagent is launched over ssh, and the current working
>> directory will be the user's home directory.
>>
>> The problem is that if a user is tricked into downloading a malicious
>> library off the Internet and saves it into his home directory, this
>> malicious library will be loaded and can take control of the user's
>> process
>> when an x2go session is launched.
>>
>> The fix is simply to check if either LD_LIBRARY_PATH or X2GO_LIB are
>> empty.
>> I am pasting the patch below.
>>
>> Please keep me updated on this issue.
>>
>> Thanks,
>> Hayawardh Vijayakumar
>>
>> --- /usr/bin/x2gostartagent 2012-01-05 17:48:07.843705023 -0500
>> +++ /usr/bin/x2gostartagent.fixed 2012-01-05 16:44:41.839705377
>> -0500
>> @@ -184,8 +184,13 @@
>>
>> X2GO_COOKIE=`mcookie`
>>
>> +if [ ! ${LD_LIBRARY_PATH} ] || [ ! ${X2GO_LIB} ]
>> +then
>> + LD_LIBRARY_PATH="${LD_LIBRARY_**PATH}${X2GO_LIB}"
>> +else
>> + LD_LIBRARY_PATH="${LD_LIBRARY_**PATH}:${X2GO_LIB}"
>> +fi
>>
>> -LD_LIBRARY_PATH="${LD_**LIBRARY_PATH}:${X2GO_LIB}"
>> export LD_LIBRARY_PATH
>>
>> PATH="${PATH}:${X2GO_BIN}/"
>>
>>
> Very sensible patch!!! Just committed...
>
> Mike
>
>
> --
>
> DAS-NETZWERKTEAM
> mike gabriel, dorfstr. 27, 24245 barmissen
> fon: +49 (4302) 281418, fax: +49 (4302) 281419
>
> GnuPG Key ID 0xB588399B
> mail: mike.gabriel at das-netzwerkteam.**de<mike.gabriel at das-netzwerkteam.de>,
> http://das-netzwerkteam.de
>
> freeBusy:
> https://mail.das-netzwerkteam.**de/freebusy/m.gabriel%40das-**
> netzwerkteam.de.xfb<https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb>
>
> _______________________________________________
> X2go-Dev mailing list
> X2go-Dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/x2go-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20120106/08fa86cd/attachment.html>
More information about the x2go-dev
mailing list