[X2Go-Dev] Bug#333: Bug#333: Users can inject arbitrary data into X2Go Client via .bashrc

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Tue Oct 29 14:41:47 CET 2013 

clone #333 -1
reassign -1 python-x2go
retitle -1 Users can inject arbitrary data into Pyhoca-GUI via .bashrc
thanks

Hi All,

On  Di 29 Okt 2013 13:36:14 CET, Mike Gabriel wrote:

> Hi All,
>
> Dan Halbert made me aware of it being easily possible to inject  
> arbitrary data into X2Go Client via the server-side .bashrc file.  
> This surely is a security problem in X2Go.
>
> Thus, I found that we really need to do some sanity checks on  
> incoming output from X2Go Servers to avoid such injections.
>
> The idea is to invoke the server-side command with a UUID hash  
> before and after the actuall command invocation:
>
> 1. execute server-side command from X2Go Client:
>
> ssh <user>@<server> sh -c "echo <uuidhash> && <x2gocmd> && echo <uuidhash>
>
> 2. read data from X2Go Server:
>
> X2GODATABEGIN:<uuidhash>
> <x2godata_line1>
> <x2godata_line2>
> ....
> <x2godata_lineN>
> X2GODATAEND:<uuidhash>
>
> 3. cut out the X2Go data returned by the server (in C++):
>
>       QString begin_marker = "X2GODATABEGIN:"+uuid+"\n";
>       QString end_marker = "X2GODATAEND:"+uuid+"\n";
>       int output_begin=stdOutString.indexOf(begin_marker) + \\
>                        begin_marker.length();
>       int output_end=stdOutString.indexOf(end_marker);
>       output = stdOutString.mid(output_begin, \\
>                                 output_end-output_begin);
>
>
> I have a patch locally for this and will commit it in a minute. We  
> can discuss the patch and move on from there when it's there.
>
> Unfortunately, this patch does not fix #327 as it is impossible to  
> use scp with echoing .bashrc files. With this patch applied, the  
> session starts, but setting up the SSHfs shares fails with locking  
> up X2Go Client.
>
> For people who depend on echoing .bashrc files, please read my last  
> post on #327.
>
> Mike

This actually also applies to Python X2Go.

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 7251 bytes
Desc: ?ffentlicher PGP-Schl?ssel
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20131029/7b0b8bf0/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20131029/7b0b8bf0/attachment.pgp>

More information about the x2go-dev mailing list