Am 21.05.2013 11:01, schrieb Richard RW. Weinberger: > ----- Ursprüngliche Mail ----- >>> From: Oleksandr Shneyder <[email protected]> >>> Subject: Re: [X2Go-Dev] x2go and (none)security >>> Date: 21. Mai 2013 10:40:45 MESZ >>> To: [email protected] >>> Cc: [email protected], [email protected] >>> >>> Hello Richard, >>> >>> Am 18.05.2013 21:48, schrieb Richard Weinberger: >>>> Hi x2go users/developers, >>>> >>>> while reviewing x2go I've encountered issues which scared hell out >>>> of me. >>>> The client seems to perform zero input validation. A rough server >>>> can >>>> easily crash the client >>>> and most likely execute arbitrary code. >>>> For example x2goSession ONMainWindow::getSessionFromString ( const >>>> QString& string ), it is feed with input from the server. >>>> --- >>>> QStringList lst=string.split ( '|' ); >>>> x2goSession s; >>>> s.agentPid=lst[0]; >>>> s.sessionId=lst[1]; >>>> s.display=lst[2]; >>>> s.server=lst[3]; >>>> s.status=lst[4]; >>>> s.crTime=lst[5]; >>>> s.cookie=lst[6]; >>>> s.clientIp=lst[7]; >>>> s.grPort=lst[8]; >>>> s.sndPort=lst[9]; >>>> --- >>>> If a line from the server, does not enough "|" we end up with >>>> out-of-bound array access. >>>> The source is full with such issues. >>> >>> You are right, it is possible, that X2Go Client can be crashed with >>> the >>> wrong output from the server. This issue could (and should) be >>> easily >>> fixed by replacing operator "[n]" with method "value(n)". However, >>> I >>> don't think, that this issue is so dramatic as you described it. >>> Why >>> some one should open a SSH/X2GO connection to "rough" server? I >>> didn't >>> see such use case yet, when an administrator of server want to >>> crash the >>> client application on a machine of his user. If a user root on your >>> Linux system is not an evil person, who want crash the X2Go Client >>> on >>> your desktop, you should not worry about this issue. But if you >>> living >>> in the world of BOFH, please don't use the X2Go Client until this >>> issue >>> will be fixed. I'll fix it very soon. > > Every thought about client security? > What happens if someone connects to another server? > E.g. a support guys which need to connect to other customers. > Using x2go you can take over his machine and sniff passwords to access > other customers. > >>>> Finally I've also looked at the server. >>>> In short, the 90's [email protected], they want their setuid >>>> bugs back. >>>> x2gosqlitewrapper.c just wrong, anyone can make it executing >>>> whatever >>>> binary he wants with higher privileges. >>> >>> Sorry, I don't understand what are you talking about. I not found >>> the >>> file "x2gosqlitewrapper.c" in the source tree of package "x2go >>> server". >>> If you found a security problem in the recent x2goserver code, >>> please >>> open a bug report on bug tracker, describe the problem and show how >>> it >>> can be used. In best case show an example of exploit and send a bug >>> fix. >>> Saying "it is just wrong, anyone can do something" is just your >>> opinion >>> without any arguments. > > I showed Mike already how the exploit works. He already released a fixed > version > of x2goserver and x2gobroker. Both contained the same broken code. > If you don't understand the issue I'll happily explain it to you in private > but I'll > not post exploits on a public mailinglist. > >>> >>>> But it's not only the code that worries me. >>>> On Windows the client executes per default sshd and x11. Both are >>>> listening on all available IP-Addresses. >>> >>> Yes, this components are required by X2Go Client. This services are >>> configured by default to listen all IP-Adresses. It is possible to >>> configure them to listen for connections only on localhost, but I >>> see it >>> just as "nice to have" feature. Starting this services is not >>> creating >>> backdoor on the system, otherwise most UNIX machines would be >>> backdoor'ed, because they running same services. Furthermore, SSHD >>> used >>> by X2Go is running only with user privileges and opening an access >>> for >>> only one user and only shortly for each SSHFS connection. The rest >>> time >>> SSHD don't accept a SSH-connections. In addition, each Windows >>> system >>> have a firewall that by default configured to drop incoming >>> TCP-connections. This make SSHD and X11 to be only accessible from >>> localhost. >>> >>> >>> >>>> You silently install a user "sshuser" on Windows, which has the >>>> password >>>> of the currently logged in Windows user and give >>>> him a login shell. >>> >>> This is so untrue! X2Go Client can not install users on Windows >>> system. > > So? You install cygwin with a passwd file that maps to Windows users. > sshd.exe uses that passwd file and one can login via network. > Of course you need to know the passwort. But you open a security risk > just by making sshd and x11 listening on 0.0.0.0! >
Recent version of X2Go Client http://code.x2go.org/releases/binary-win32/x2goclient/previews/4.0.1.0/x2goclient-4.0.1.0-pre02-setup.exe not installing a passwd file and it is not possible to login on system via network with user password. >>> To be able to do something like that, X2Go Client must have an >>> administrator privileges. All X2Go Client components running with >>> user >>> privileges. A SSHD open SSH access for current user and this is >>> required >>> for SSHFS, which used to export client directories to server. If >>> you >>> don't trust your server, just don't export your directories. And >>> you >>> should not do this, independent what kind of network FS are you >>> using. >>> It is always possible, that untrusted server can manipulate your >>> data or >>> credentials. It's impossible to open a SSH-Connection to your >>> client >>> until you don't exporting directories to server. > > Then please make sshd listen on localhost and forward the ssh port to the > Server... This will break the LAN scenario, where X2Go Client is in same LAN as X2Go Server and direct SSHFS connection can be established, which is faster as a connection via reverse tunnel. By default SSH Port from client is forwarded to server, and Windows firewall with default settings dropping TCP-copnnections from network anyway. As long as Windows user don't deactivate a Windows Firewall I don't see a security risk here. > >>> >>>> I haven't seen such a trainwreck of software for a long time. >>>> By installing it on my system you've successfully backdoor'ed my >>>> clients >>>> and the server. >>> >>> I appreciated your criticism, but writing something like that in >>> the ML >>> of a community project is just not respecting the work of people, >>> who >>> spent a lot of their time and costs to develop something useful for >>> others. > > I'm criticizing your code not you. > If you cannot deal with that, not my problem. I can deal with criticism, I don't like the way you did it. regards, Alex > Thanks, > //richard -- Oleksandr Shneyder Dipl. Informatik X2go Core Developer Team email: [email protected] web: www.obviously-nice.de --> X2go - everywhere@home
signature.asc
Description: OpenPGP digital signature
_______________________________________________ X2Go-Dev mailing list [email protected] https://lists.berlios.de/mailman/listinfo/x2go-dev
