[X2Go-Dev] Bug#333: Users can inject arbitrary data into X2Go Client via .bashrc

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Tue Oct 29 13:36:14 CET 2013 

Hi All,

Dan Halbert made me aware of it being easily possible to inject  
arbitrary data into X2Go Client via the server-side .bashrc file. This  
surely is a security problem in X2Go.

Thus, I found that we really need to do some sanity checks on incoming  
output from X2Go Servers to avoid such injections.

The idea is to invoke the server-side command with a UUID hash before  
and after the actuall command invocation:

1. execute server-side command from X2Go Client:

ssh <user>@<server> sh -c "echo <uuidhash> && <x2gocmd> && echo <uuidhash>

2. read data from X2Go Server:

X2GODATABEGIN:<uuidhash>
<x2godata_line1>
<x2godata_line2>
....
<x2godata_lineN>
X2GODATAEND:<uuidhash>

3. cut out the X2Go data returned by the server (in C++):

       QString begin_marker = "X2GODATABEGIN:"+uuid+"\n";
       QString end_marker = "X2GODATAEND:"+uuid+"\n";
       int output_begin=stdOutString.indexOf(begin_marker) + \\
                        begin_marker.length();
       int output_end=stdOutString.indexOf(end_marker);
       output = stdOutString.mid(output_begin, \\
                                 output_end-output_begin);


I have a patch locally for this and will commit it in a minute. We can  
discuss the patch and move on from there when it's there.

Unfortunately, this patch does not fix #327 as it is impossible to use  
scp with echoing .bashrc files. With this patch applied, the session  
starts, but setting up the SSHfs shares fails with locking up X2Go  
Client.

For people who depend on echoing .bashrc files, please read my last  
post on #327.

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 7251 bytes
Desc: ?ffentlicher PGP-Schl?ssel
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20131029/f5462441/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20131029/f5462441/attachment.pgp>

More information about the x2go-dev mailing list