X2Go Bug report logs - #1597
Possible security vulnerability: x2goclient crashes calling ssh-keygen due to unsanitized arguments

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: "Peter O'Regan" <peteroregan@gmail.com>

Date: Tue, 31 Jan 2023 19:25:02 UTC

Severity: normal

Found in version

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#1597; Package x2goclient. (Tue, 31 Jan 2023 19:25:02 GMT) (full text, mbox, link).

Acknowledgement sent to "Peter O'Regan" <peteroregan@gmail.com>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Tue, 31 Jan 2023 19:25:02 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: "Peter O'Regan" <peteroregan@gmail.com>
To: submit@bugs.x2go.org
Subject: Possible security vulnerability: x2goclient crashes calling ssh-keygen due to unsanitized arguments
Date: Tue, 31 Jan 2023 14:20:21 -0500
[Message part 1 (text/plain, inline)]
Package: x2goclient

x2goclient assumes the path to its application data directory does not have
any spaces or single-quotes, but these are legal path directories for users
on Windows systems. As a result, if the path to the x2go directory contains
spaces or apostrophes (C:/Users/O'Regan, for instance), the call will fail.
I have experienced this error and can reproduce the failure behavior by
calling ssh-keygen from the terminal.

The fix, I think, is to add double quotes to open and close the
"private_key_file" string sent to ssh-keygen on onmainwindow.cpp, line
11353, or to apply a dedicated sanitization function.

Testing in the terminal:
ssh-keygen -f C:\Users\O'Regan\.x2go\etc\mykeyfile will fail.
ssh-keygen -f "C:\Users\O'Regan\.x2go\etc\mykeyfile" will succeed.

There may be other places/program calls that also need sanitizing.

This is also potentially security issue since it lets the program caller
influence what arguments are sent to generate an SSH key by altering the
"HOME" environment variable queried by qt in line 185 from
QDir::homePath(). (I'm not sure how easy it is to change this or related
environment variables mid-session, but I imagine it might be possible). The
path appears as the final argument to ssh-keygen, so it will also overrule
the preceding arguments. For instance, I could reduce the bit count for the
key or key type to make the credential easier to brute-force.

I am using Windows 11.

Thank you,
[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu May 30 18:43:51 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.