X2Go Bug report logs - #1597
Possible security vulnerability: x2goclient crashes calling ssh-keygen due to unsanitized arguments

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: "Peter O'Regan" <peteroregan@gmail.com>

Date: Tue, 31 Jan 2023 19:25:02 UTC

Severity: normal

Found in version 4.1.2.2-2020.02.13

Full log


Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

Received: (at submit) by bugs.x2go.org; 31 Jan 2023 19:20:39 +0000
From peteroregan@gmail.com  Tue Jan 31 20:20:35 2023
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.7 required=3.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2
Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 06A5D5DAED
	for <submit@bugs.x2go.org>; Tue, 31 Jan 2023 20:20:35 +0100 (CET)
Received: by mail-pg1-x52f.google.com with SMTP id g68so10786014pgc.11
        for <submit@bugs.x2go.org>; Tue, 31 Jan 2023 11:20:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=IMxZmDY0GmLxRFa+OaRJPJZaVfZG7h93gJd9zamAcRY=;
        b=itM5AMIyWRwBiCmTp1YcO2SFmV1y649ljBcbLCKIYZlCLKAv31QPuYg/wiIxvlNLb2
         BAx1G3Q3SlcXO7N9Bjsb/P3PWPNGYcV5nw/QXPgxWD5asSvdZKr+xxncTbW7aXcmeEcw
         /yU1ZF1jhQamsSN1YM7jCN2g6pJSgSo2GMFoR3weaOymGk1eV518qaumknhKYLRX569c
         H8O3xnaXw37cUcBwCcqvh45IEvcXqWYIaIpyI2JGeIUKFPNGVOkIeAIuxOtokVLQC9uC
         pXNz6lbhFFSHO5Rr3JuquMnSVgY8JnCHKflnJbqnh9aDl4GIe3r1n316D/ux2HxXP77L
         QItA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=IMxZmDY0GmLxRFa+OaRJPJZaVfZG7h93gJd9zamAcRY=;
        b=rGupx0Ny9UYhB+1eK9DoOKwPIzbzKxI4VsyoQiGq9nJs+7zQB8opySERo/Uw6A/DYe
         pMJoZjYYoqfMtkxiYLXRDBTtqwYvNrjFlQLkD60jFZ6J4l3QfCkxqPwPFIqmXwF8p2rM
         k/d9x++YOrP/ZTt3VGl4WtaRug7PLoBQuKOwmRCjFELl6niygBKdghZMQAFa8p5b5i7E
         /7bY0wJpOYK6hCM8M0D1FTZv5YsDa1BUASzorcMUpo1RGm0bybLLHAQQ+7iQZW09aD/i
         ZOyrjoyN29QYiHDKim8ujihMNu+CeS2+4ePjPgxNAacUL//YqKk+kfnZVL5fMS8mmcgI
         gLyw==
X-Gm-Message-State: AO0yUKVpvBIS31IpsjkmaNBof42rIfi81BRISZvY5Kj12tLGtMcfOUTC
	vXtOIQhSfVPwz/u33Yhc1eWeYiBvNigfr0zkKyAEsUZS
X-Google-Smtp-Source: AK7set+TZXdoj4L4k6OhG1riDqB0i0n6Wv9YZKyrpnD1reS3FBpc6KU2xb+1yjuj1yIc0dufx0L68gcSrfJ6Y7Gj+1o=
X-Received: by 2002:aa7:98c7:0:b0:593:9891:f86a with SMTP id
 e7-20020aa798c7000000b005939891f86amr2177297pfm.53.1675192832147; Tue, 31 Jan
 2023 11:20:32 -0800 (PST)
MIME-Version: 1.0
From: "Peter O'Regan" <peteroregan@gmail.com>
Date: Tue, 31 Jan 2023 14:20:21 -0500
Message-ID: <CAB0Xt5CFmtzhHxZi4vABn4jg6XCYbL0wxHVU8rofso3SaMaHag@mail.gmail.com>
Subject: Possible security vulnerability: x2goclient crashes calling
 ssh-keygen due to unsanitized arguments
To: submit@bugs.x2go.org
Content-Type: multipart/alternative; boundary="000000000000b0cdef05f3943947"
[Message part 1 (text/plain, inline)]
Package: x2goclient
Version: 4.1.2.2-2020.02.13

x2goclient assumes the path to its application data directory does not have
any spaces or single-quotes, but these are legal path directories for users
on Windows systems. As a result, if the path to the x2go directory contains
spaces or apostrophes (C:/Users/O'Regan, for instance), the call will fail.
I have experienced this error and can reproduce the failure behavior by
calling ssh-keygen from the terminal.

The fix, I think, is to add double quotes to open and close the
"private_key_file" string sent to ssh-keygen on onmainwindow.cpp, line
11353, or to apply a dedicated sanitization function.

Testing in the terminal:
ssh-keygen -f C:\Users\O'Regan\.x2go\etc\mykeyfile will fail.
ssh-keygen -f "C:\Users\O'Regan\.x2go\etc\mykeyfile" will succeed.

There may be other places/program calls that also need sanitizing.

This is also potentially security issue since it lets the program caller
influence what arguments are sent to generate an SSH key by altering the
"HOME" environment variable queried by qt in line 185 from
QDir::homePath(). (I'm not sure how easy it is to change this or related
environment variables mid-session, but I imagine it might be possible). The
path appears as the final argument to ssh-keygen, so it will also overrule
the preceding arguments. For instance, I could reduce the bit count for the
key or key type to make the credential easier to brute-force.

I am using Windows 11.

Thank you,
Peter
[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Mar 29 08:09:52 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.