Hi all, On Sa 18 Mai 2013 21:48:30 CEST Richard Weinberger wrote:
while reviewing x2go I've encountered issues which scared hell out of me.The client seems to perform zero input validation. A rough server can easily crash the clientand most likely execute arbitrary code.For example x2goSession ONMainWindow::getSessionFromString ( const QString& string ), it is feed with input from the server.--- QStringList lst=string.split ( '|' ); x2goSession s; s.agentPid=lst[0]; s.sessionId=lst[1]; s.display=lst[2]; s.server=lst[3]; s.status=lst[4]; s.crTime=lst[5]; s.cookie=lst[6]; s.clientIp=lst[7]; s.grPort=lst[8]; s.sndPort=lst[9]; ---If a line from the server, does not enough "|" we end up with out-of-bound array access.The source is full with such issues.
Can you please file a bug against X2Go Client, so that we do not loose this on the list. Those issues have to fixed. Please mark them as grave:
To: [email protected] Subject: <a-good-one> """ Package: x2goclient Version: 4.0.1.0 Severity: grave <your-bug-description> """
Finally I've also looked at the server. In short, the 90's called, they want their setuid bugs back.x2gosqlitewrapper.c just wrong, anyone can make it executing whatever binary he wants with higher privileges.
This one Richard and I have fixed during last night. The issues were present in X2Go Server and the broker agent in X2Go Session Broker. Please upgrade X2Go Server ( -> 4.0.0.2) and X2Go Session Broker ( -> 0.0.2.1). This is highly recommended!!!
But it's not only the code that worries me.On Windows the client executes per default sshd and x11. Both are listening on all available IP-Addresses. You silently install a user "sshuser" on Windows, which has the password of the currently logged in Windows user and givehim a login shell.
Huuhhhh...@Alex: this sounds wrong to me... isn't it possible to launch an SSH daemon under the user's ID that is currently logged on (on some non-22 port)???
I haven't seen such a trainwreck of software for a long time.By installing it on my system you've successfully backdoor'ed my clients and the server.
Let's continue working together to remove those trainwreck bits and pieces and the X2Go possibly becomes suitable for you.
Improving X2Go... Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: [email protected], http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
pgpvSr0bnOHyl.pgp
Description: Digitale PGP-Unterschrift
_______________________________________________ X2Go-Dev mailing list [email protected] https://lists.berlios.de/mailman/listinfo/x2go-dev
