[X2Go-Dev] x2go and (none)security

Richard RW. Weinberger richard at sigma-star.at
Tue May 21 12:29:16 CEST 2013 

----- Ursprüngliche Mail -----
> Am 21.05.2013 11:01, schrieb Richard RW. Weinberger:
> > ----- Ursprüngliche Mail -----
> >>> From: Oleksandr Shneyder <oleksandr.shneyder at obviously-nice.de>
> >>> Subject: Re: [X2Go-Dev] x2go and (none)security
> >>> Date: 21. Mai 2013 10:40:45 MESZ
> >>> To: x2go-dev at lists.berlios.de
> >>> Cc: david at sigma-star.at, t.dierl at sigma-star.at
> >>>
> >>> Hello Richard,
> >>>
> >>> Am 18.05.2013 21:48, schrieb Richard Weinberger:
> >>>> Hi x2go users/developers,
> >>>>
> >>>> while reviewing x2go I've encountered issues which scared hell
> >>>> out
> >>>> of me.
> >>>> The client seems to perform zero input validation. A rough
> >>>> server
> >>>> can
> >>>> easily crash the client
> >>>> and most likely execute arbitrary code.
> >>>> For example x2goSession ONMainWindow::getSessionFromString (
> >>>> const
> >>>> QString& string ), it is feed with input from the server.
> >>>> ---
> >>>>    QStringList lst=string.split ( '|' );
> >>>>    x2goSession s;
> >>>>    s.agentPid=lst[0];
> >>>>    s.sessionId=lst[1];
> >>>>    s.display=lst[2];
> >>>>    s.server=lst[3];
> >>>>    s.status=lst[4];
> >>>>    s.crTime=lst[5];
> >>>>    s.cookie=lst[6];
> >>>>    s.clientIp=lst[7];
> >>>>    s.grPort=lst[8];
> >>>>    s.sndPort=lst[9];
> >>>> ---
> >>>> If a line from the server, does not enough "|" we end up with
> >>>> out-of-bound array access.
> >>>> The source is full with such issues.
> >>>
> >>> You are right, it is possible, that X2Go Client can be crashed
> >>> with
> >>> the
> >>> wrong output from the server. This issue could (and should) be
> >>> easily
> >>> fixed by replacing operator "[n]" with method "value(n)".
> >>> However,
> >>> I
> >>> don't think, that this issue is so dramatic as you described it.
> >>> Why
> >>> some one should open a SSH/X2GO connection to "rough" server? I
> >>> didn't
> >>> see such use case yet, when an administrator of server want to
> >>> crash the
> >>> client application on a machine of his user. If a user root on
> >>> your
> >>> Linux system is not an evil person, who want crash the X2Go
> >>> Client
> >>> on
> >>> your desktop, you should not worry about this issue. But if you
> >>> living
> >>> in the world of BOFH, please don't use the X2Go Client until this
> >>> issue
> >>> will be fixed. I'll fix it very soon.
> > 
> > Every thought about client security?
> > What happens if someone connects to another server?
> > E.g. a support guys which need to connect to other customers.
> > Using x2go you can take over his machine and sniff passwords to
> > access
> > other customers.
> > 
> >>>> Finally I've also looked at the server.
> >>>> In short, the 90's calx2go-dev at lists.berlios.deled, they want
> >>>> their setuid bugs back.
> >>>> x2gosqlitewrapper.c just wrong, anyone can make it executing
> >>>> whatever
> >>>> binary he wants with higher privileges.
> >>>
> >>> Sorry, I don't understand what are you talking about. I not found
> >>> the
> >>> file "x2gosqlitewrapper.c" in the source tree of package "x2go
> >>> server".
> >>> If you found a security problem in the recent x2goserver code,
> >>> please
> >>> open a bug report on bug tracker, describe the problem and show
> >>> how
> >>> it
> >>> can be used. In best case show an example of exploit and send a
> >>> bug
> >>> fix.
> >>> Saying "it is just wrong, anyone can do something" is just your
> >>> opinion
> >>> without any arguments.
> > 
> > I showed Mike already how the exploit works. He already released a
> > fixed version
> > of x2goserver and x2gobroker. Both contained the same broken code.
> > If you don't understand the issue I'll happily explain it to you in
> > private but I'll
> > not post exploits on a public mailinglist.
> > 
> >>>
> >>>> But it's not only the code that worries me.
> >>>> On Windows the client executes per default sshd and x11. Both
> >>>> are
> >>>> listening on all available IP-Addresses.
> >>>
> >>> Yes, this components are required by X2Go Client. This services
> >>> are
> >>> configured by default to listen all IP-Adresses. It is possible
> >>> to
> >>> configure them to listen for connections only on localhost, but I
> >>> see it
> >>> just as "nice to have" feature. Starting this services is not
> >>> creating
> >>> backdoor on the system, otherwise  most UNIX machines would be
> >>> backdoor'ed, because they running same services. Furthermore,
> >>> SSHD
> >>> used
> >>> by X2Go is running only with user privileges and opening an
> >>> access
> >>> for
> >>> only one user and only shortly for each SSHFS connection. The
> >>> rest
> >>> time
> >>> SSHD don't accept a SSH-connections. In addition, each Windows
> >>> system
> >>> have a firewall that by default configured to drop incoming
> >>> TCP-connections. This make SSHD and X11 to be only accessible
> >>> from
> >>> localhost.
> >>>
> >>>
> >>>
> >>>> You silently install a user "sshuser" on Windows, which has the
> >>>> password
> >>>> of the currently logged in Windows user and give
> >>>> him a login shell.
> >>>
> >>> This is so untrue! X2Go Client can not install users on Windows
> >>> system.
> > 
> > So? You install cygwin with a passwd file that maps to Windows
> > users.
> > sshd.exe uses that passwd file and one can login via network.
> > Of course you need to know the passwort. But you open a security
> > risk
> > just by making sshd and x11 listening on 0.0.0.0!
> > 
> 
> Recent version of X2Go Client
> 
> http://code.x2go.org/releases/binary-win32/x2goclient/previews/4.0.1.0/x2goclient-4.0.1.0-pre02-setup.exe
> 
> not installing a passwd file and it is not possible to login on
> system
> via network with user password.

I've used the binary http://code.x2go.org/releases/X2GoClient_latest_mswin32-setup.exe.
Link from here:
http://wiki.x2go.org/doku.php/start

If this is not the current stable version, please update the link.

> 
> >>> To be able to do something like that, X2Go Client must have an
> >>> administrator privileges. All X2Go Client components running with
> >>> user
> >>> privileges. A SSHD open SSH access for current user and this is
> >>> required
> >>> for SSHFS, which used to export client directories to server. If
> >>> you
> >>> don't trust your server, just don't export your directories. And
> >>> you
> >>> should not do this, independent what kind of network FS are you
> >>> using.
> >>> It is always possible, that untrusted server can manipulate your
> >>> data or
> >>> credentials. It's impossible to open a SSH-Connection to your
> >>> client
> >>> until you don't exporting directories to server.
> > 
> > Then please make sshd listen on localhost and forward the ssh port
> > to the Server...
> 
> This will break the LAN scenario, where X2Go Client is in same LAN as
> X2Go Server and direct SSHFS connection can be established, which is
> faster as a connection via reverse tunnel. By default SSH Port from
> client is forwarded to server, and Windows firewall with default
> settings dropping TCP-copnnections from network anyway. As long as
> Windows user don't deactivate a Windows Firewall I don't see a
> security
> risk here.

There are lot's of Windows-Setups without a Windows Firewall.
And if you start sshd.exe the Firewall will ask you if that's ok.
*Every* user will say "Yes!!!" and the Firewall allows sshd.exe to listen.

It may work with the most current Windows Firewall because it knows
different zones. But still it is IMHO very bad to run sshd on the client.

> 
> > 
> >>>
> >>>> I haven't seen such a trainwreck of software for a long time.
> >>>> By installing it on my system you've successfully backdoor'ed my
> >>>> clients
> >>>> and the server.
> >>>
> >>> I appreciated your criticism, but writing something like that in
> >>> the ML
> >>> of a community project is just not respecting the work of people,
> >>> who
> >>> spent a lot of their time and costs to develop something useful
> >>> for
> >>> others.
> > 
> > I'm criticizing your code not you.
> > If you cannot deal with that, not my problem.
> 
> I can deal with criticism, I don't like the way you did it.

Sorry, that's life. :-)

Thanks,
//richard

More information about the x2go-dev mailing list