From mike.gabriel@das-netzwerkteam.de Tue Oct 29 13:36:15 2013 Received: (at 333) by bugs.x2go.org; 29 Oct 2013 12:36:16 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id 6B11C5DA6C for <333@bugs.x2go.org>; Tue, 29 Oct 2013 13:36:15 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 2C0ABBBE for <333@bugs.x2go.org>; Tue, 29 Oct 2013 13:36:15 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 16D653BB58 for <333@bugs.x2go.org>; Tue, 29 Oct 2013 13:36:15 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cSJY7mw+I1iB for <333@bugs.x2go.org>; Tue, 29 Oct 2013 13:36:15 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id DB3013BB68 for <333@bugs.x2go.org>; Tue, 29 Oct 2013 13:36:14 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id AFAFE3BB58 for <333@bugs.x2go.org>; Tue, 29 Oct 2013 13:36:14 +0100 (CET) Received: from m-047.informatik.uni-kiel.de (m-047.informatik.uni-kiel.de [134.245.254.47]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Tue, 29 Oct 2013 12:36:14 +0000 Date: Tue, 29 Oct 2013 12:36:14 +0000 Message-ID: <20131029123614.Horde.P9zSu3_8i0FBDAWAhaTBkg4@mail.das-netzwerkteam.de> From: Mike Gabriel To: 333@bugs.x2go.org Subject: Users can inject arbitrary data into X2Go Client via .bashrc User-Agent: Internet Messaging Program (IMP) H5 (6.1.4) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 134.245.254.47 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 Iceweasel/23.0 Content-Type: multipart/signed; boundary="=_-HPAsd1VjEw3c0uBC1fU2A1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_-HPAsd1VjEw3c0uBC1fU2A1 Content-Type: multipart/mixed; boundary="=_r8R1oQdSeDPLubTIopsEcQ2" This message is in MIME format. --=_r8R1oQdSeDPLubTIopsEcQ2 Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes Content-Disposition: inline Hi All, Dan Halbert made me aware of it being easily possible to inject arbitrary data into X2Go Client via the server-side .bashrc file. This surely is a security problem in X2Go. Thus, I found that we really need to do some sanity checks on incoming output from X2Go Servers to avoid such injections. The idea is to invoke the server-side command with a UUID hash before and after the actuall command invocation: 1. execute server-side command from X2Go Client: ssh @ sh -c "echo && && echo 2. read data from X2Go Server: X2GODATABEGIN: .... X2GODATAEND: 3. cut out the X2Go data returned by the server (in C++): QString begin_marker = "X2GODATABEGIN:"+uuid+"\n"; QString end_marker = "X2GODATAEND:"+uuid+"\n"; int output_begin=stdOutString.indexOf(begin_marker) + \\ begin_marker.length(); int output_end=stdOutString.indexOf(end_marker); output = stdOutString.mid(output_begin, \\ output_end-output_begin); I have a patch locally for this and will commit it in a minute. We can discuss the patch and move on from there when it's there. Unfortunately, this patch does not fix #327 as it is impossible to use scp with echoing .bashrc files. With this patch applied, the session starts, but setting up the SSHfs shares fails with locking up X2Go Client. For people who depend on echoing .bashrc files, please read my last post on #327. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_r8R1oQdSeDPLubTIopsEcQ2 Content-Type: application/pgp-keys Content-Description: =?utf-8?b?w5ZmZmVudGxpY2hlciA=?= =?utf-8?b?UEdQLVNjaGzDvHNzZWw=?= -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.14 (GNU/Linux) mQINBFAI/RwBEAC882z9DZ0OqvdoswfZD6sWlHH43iTc2QUibyHEhz/Jov8UQLPK qUncNd9QMcQ3zp2NnU9tS4j5IY/QPcBMR96ZNdl9PWpV/Ubs6yZ9PK2/DBt3Noos FZUN2KrHbnbED5zf9sEHyRuBTnDtVRtskQlaFreX5NSZ1ndqJrC1Uqm64Mf+0mC8 7D1QRlNkH7OQmMK+u6EN8a1IZae7mDzzStgzvbvm1BZ6XDJ6ThNckvGEhgSbPF16 9zfW6a0mdlOjkmW50VIQg3wjtVHxlIYqFnH4KGp2kYslJR3SIB7ntbNW1wVQm8d2 vAnnnzXWNFFuIqOj7z6ylIL9lVTPEBen3rgDsha7/YCR5d4Kez4piKKbAMBxeSxZ yzz90YRtp/zIqjotfQt6Q05mAi9xVfvbi+XKBcGtoU89g5aekFi7bkrpxDB/JCAA VaLz0Mrpz0/33Pffhnf5a9JUvk6UhNmYBEknLn7fuO3WF0Q6Q58QvMYvHxpxAr3X nywyYFic8o71lxWB8D/Y2bhwHE3098BJhI80DLznx7cmuInORg0AnV5AArkdCBNa p+bh0rVbQXxOzKT3ETPkKBKbMRhAWtCiQfGGzOzVvtGzMw+yZMnGIEfJ7Dqe5URF rvRPJYlIJLPsa3josVtIMjaeK6xIG2o7c8qN/H89nNyplQkt+Vx28x3dewARAQAB tC9NaWtlIEdhYnJpZWwgPG1pa2UuZ2FicmllbEBkYXMtbmV0endlcmt0ZWFtLmRl PokCPQQTAQgAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCUWUgMAUJCsIk hAAKCRCa9GswJXcbMYLlD/9Ov0PPICrmOD5LG2W3eF/bEqSd5Lnvc0njkI0IOKhJ Ww/jjGcQpnclfxsDNIvhXtHcZHL3b50320p7neKL/MaO6NYRo+UMkOzmwsEFQL3b 6Cea70QRgvn+cxjpnDP5a5wLKyiezwE3GdlPV2+Aohlq1BrY1N3OAVby5/QylYoz Ezb4zlhg2ncvp3N4FZh7BBDkaK1d+ZObBP/uxrkwoapAXqp4S8iSE46d2/R1W20v 7edGN21+qi8DkKI69hTzo4OgyRPwF0LIQnJlGL0eI0cMA1P1SqJpLePKPPFPqHYY haBvDlGXWVwEflKBNh06CqT7fwi7nnRV7EkIP+kXDYYGxn05DsFqIbNB2fFRrPaO 4x2NCE7eCU9kf1Xazv6MRGudzTndeFGFKyqIrx4fRZHnrytL11vxxGw207mx/TCx +6zQwwGu3bMtv9QUnEjDvZWXkMU+emz7kDjg+3Bnb9lC78zKJRWXSpp3StTgMFi5 Cu+QzVVkzywEqmNzcLySIoyFqjUhhvVlXTQjzNU1JI3hRETG/sRQmftsIJNJQFf3 0/euiRD48rQvjH9s82sniUCI+l+DXUOyFkGofz5045Q7z8gky+W98q/c7Y8YG1d6 Cba1Im2tMaiR2m/jUzai1T3q+7AmdKxCVELvxpaSDSKLWR+UxVR8yjirhmGtwo1L eIkCQAQTAQgAKgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAIZAQUCUWUgKQUJ CsIkhAAKCRCa9GswJXcbMSVTEACKK4yB3eZJHV1F2bm8lvJCYsqhnuxmIGrZgXPa Apv2gItUdqiaHLTboa0MFIfhT29tJ7FYSD3xto9VX7tocegoUoRct+YVFiubiqge PTe1GU7eNER5i3UyG+b/o8jhDAQzv+GDH8jPFQ3CfbR5DyW9JMhncKbOrCtSI0Zy s2QdGjZJf22wUdkJF67Aac/Ohktjg/Lriv/swZXo4azE3BoCfPBVnxqQ0f5Cno/J NyLDRYEHvU6+vRsX0nsfmLi8AMYu0OD2/WSluRDLUK59fumBJSHNdxxnQ0aU4pZk FvLvP6XVG/RjnLiYpzTi78cSNLzcTxC2GqrZh4s6NVho70ZVhyAc8xFp2zcoD/YT iOI8cbetnxWDtMOY9i+0GKYK/FAlUkBhcKPKJfpWcBxGsUnV5XI2XDKMsL1sQafo eYz0afVcXEOnNoHiwJ2/Ez6G+TrJU8cSNsLd3eClimIoRNLUE0m4eE+SnVJSJxeq VlJhTFAtILSJ75u+N+SoP5d+PZc1aR88M3oVbjbNkQlVxqah6Ag5Tg/mOKX5lsbx Par35hhpQU1YukRDOFoAcvry79yp+Kh+OU/S3TNp2z6epTgAoSwZz+k+s9R/WG5s qUEarWQLbOM3J7740qkrvz7C949fgXO4GwLBl6p4skQZonIFNqp6QlqIUsTATlDu 94h2GLQwTWlrZSBHYWJyaWVsIDxtaWtlLmdhYnJpZWxAaXQtenVrdW5mdC1zY2h1 bGUuZGU+iQI9BBMBCAAnAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheABQJRZSAw BQkKwiSEAAoJEJr0azAldxsxfC8P/3hCWeFjbOp4tXfHTJy/C6d+vSIfUEwJ8RmV uMp7VledcGN9NffT3F1Qw+x9jX37M0kqa4RdAl2hes6h1c0fMUG/imAFpVt17E7k PT5BrTz4jMqRQAU0JHnuos0F2MiaoWc5/w22W8vwmj+NrdL8Bagu3OYUV66KGaIO YDsWLCw6Qqaj33on4AqAOcnsylvNyrV0zttB0x9ZvIY8sDPpgkfZ5iyA/eRBqlsc 1UShbbN7ucirfN5vJFnOXGTKABIVis/29o56KvlT571WRPK56H3U6U6f3402+gjW vaAYKTm5Ma8MelzPciXRVEj7CMWJ7+CvlRTUaOuPQfwDxPTLAE6K8t7Dbo8SCuai MYDLfd5cAO5Fs3zwdO0QOgnc/RUT/vKT6d/iskFdTXuMr3iNBuEOt0jW2elP3OeA OMKcITryYQZ73uOlDnns3P+WDDezMMMUHNoboy4mO7G3SKXsLCaJHXF1Meg/NWwN 0W38vLnHyqABlN2F3KwoXtCQzeJE6j3kVD76hAyL2KoSmB55UXP9mdfSwe17XUnS BEyYzdBdoJIlPKVTh8EzcNwHcxOCNMbV9FEFaNAVpBp5tDrkO6Og+XE+wohTJJAj fRSLD76+0O3jhYqbnqxsxaOMrtazxQv0mB2+ZNa4MoZWIBOzeA1SncZhAOdoqhgs eL3HVU3QtCxNaWtlIEdhYnJpZWwgPG0uZ2FicmllbEBkYXMtbmV0endlcmt0ZWFt LmRlPokCPQQTAQgAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCUWUgMQUJ CsIkhAAKCRCa9GswJXcbMekMD/9KeqniddnMyKAz9pLbY94YpkmRizhygOnLhxL+ Q3m68vKHfaexDGSa2SXiSOqY1DBeDbj8VQbwJfSu7TDN6JHzvoa6p9IufrkHwJzt bI4gz+GsGBlJsCD/2/tEf9AqKwnxPNK+5RmED4rKyG9uCs3Sdvte30ZF3yQia6JU zgDwCGMCWwNJUe+Diya7oOpW0R+O+T3Lyt7PGqi9xndC/pIZBPybysTzq+GLu1mj e7BNlSU8wc0AcVMIBusGPdby9uTCfN5/dPTlb5g0oOAg0lc381HsrUQYTP+pGPCJ azkz7GkTWJnarMEk1OTUVdjpXd5oW6Zn1JVI06VlpxV1D7lixtBXk1alwecj4TZP bAl4qVNloNX7J7FOWK2o58qXiNU56i9RhmurFMes4O66WvznGaUMH9RW/Agd6SVV Su+Obu7fvIg1W5tJ6wtkXWSMYebro9zmBcTnIC61VRqIgHW/miqw69Ds0KpNPW0I yxUUzuq+g+gby4PwF2RhAIKCE324JMVl7cCexobHuO/pB3PFv7Fo0lcAQ1S6W72l C+ksgQHVzpLDTRl9PYF+nmI7T/70orhN+J7zxzV2Zuu+iJSTA/DAIGN9o9CNJdwt P0Y+m3FQUYuMk7NyIdSYqYPuCa8NqOn/Z1oN/VDIstF0JuCwN+wZcr3B/+5B+tLF m+NGubQdTWlrZSBHYWJyaWVsIDxtaWtlQHVidW50dS5kZT6JAj0EEwEIACcCGwMF CwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlFlIDEFCQrCJIQACgkQmvRrMCV3GzHv SBAAsLX0Y3ov6kKk1tfYms+V51+1rqCcAn6Dm5Zj+CUnMmsxAkJoDqsStrKaEh6H aJglVg8+ddvHU7Hd9f/rALRttpMEN8crIYugv2PevK2u4+WAxyCuTqM+CQyRLaSo o0ndfDqc5NCZggKD3Xr3RNUQgmNqIaXuGeVG2BqEaPreurP2MYpakYJYTgRkj10z p+srw0RujzCOyq2t4r0JkElEJQx1eTXnxo1ByOO0E8kZkN9hQ9Jg0a34EwGvxqk4 qXfb8rQM5qFQRymOI2OCKvjb7ehkaQZR9nSobVQtFWRX5cVauZL5pmfOmHl+tjwn qSMiR9+fdulOTLZ7jsr1JBYb4czs1y7ShbbcZD1BCvF17oNGqi2up27jDD290jJU xBy7Z0RkWlPRsFO2B/9d1ic7arYIDjN4PZETMXIogVp9doaU9M+t3vWK7nEf8/1+ dNuyBLZBgFbGt9zOnoeLqFlhUQVHlJjpjjwn1CvfPIBd6eAiyfa4OE7YAkZySu2E pazJ02xDw+DJ+8NVGFqQrbOc9JN/Vc9zusrf4YTxxWRbSysR8QgrTjF5WPy4CbAo QoS8qGrWnNuOn8YJ/d5z6icOd7VGNjCRREEyAVXU1kIQUXbIJWuUjyYNWdzoaLWx qIt+CB/bcQDngqjUEDZ2CZkWNL58vd8aAXjprqRElB2hvtK0I01pa2UgR2Ficmll bCA8c3Vud2VhdmVyQGRlYmlhbi5vcmc+iQI4BBMBAgAiBQJRSD+9AhsDBgsJCAcD AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCa9GswJXcbMYtjEAClP1Fz+ID1p8RxxCeR jYjL1oeeLRwXTuIS1wQfeAoz5wbLMMn/HsKKQ2YDebxzhiroW7Moa0FMO++O9Wmd ua9rVwV1g4qShrmDzSwWmRBrowlAav0IbcCM2vcbi845tSyGWmR2i6bJZpK8NZAS Cug5hijNdXwRVfAmNGFElcIXC1aa6U2kIVuh45tG/IuO5YmZWC5LQdK8VgTLs/yk HBlNt8sdo7TgzRpKHmEZG1jCpmYRuxgJPTroPdzvwqTKamh+LIqC8Z+E9pGlZeQf 44dKpvHJuSdEy1UBTOnvCiRgFP4ZX735Arc9WA83qFzrNFjLiy3zNQp9pcCdBY2x aLhsyfG8EBtZE9GXEgc52EuTqDZSAyBi5IeRcG7FvdHvLV8zypEHK3Hn9g3Eq2OS PDOw6/EL7KnVbhvogEujPlgD3wJW0FItrE6iR05TAeK0jE0gUBNMzGnyUbFRxJZX RTHEsFyIc9oMqoNEUOSblH8cgGY+HLEWFWaqfkTLBC6kVKP/RxZOVypNvtHZn86q 85x6XucfCoBpVqRzrHmOcAXuA6YHGEamoK7OdvkOrV1Nc1OMxYWnxG/4WYjokxEc Hx2Jg7CAlzi1/NFHAQD4o9TJaAraQjy0nqFiobHHzyLmiPBDKMfjTXdsSRjjVm3k m5mV6Bpy15KNVamTcINasFCChbkCDQRQCP0cARAAocrlXanxu815kLU6zhFP6Jp3 sQHcTRXucq28BgWf7Dz8galugBPTEEdKTkrxxAiSGZ3iHEJsmW8H4XNy56Jh+jpL OqW0+4RvPc6Eemv1MzgfdAuEkKNA+3ar3ETqhVnn54olI6rMo0FulDCopNE/0LIC AjSLekPXTlPj2swClmyl35hXJYiTgtwwLCkoQHMxz2L1+igyoGdR/O3lEwQJ1pI7 oaanWV8fda4jQkLpDf1q6bY2tEdUZx2uR5J79pjpjNkxpCbD1TvGRWjekkZP9Yi7 4ZgtyTh86hAPVP1x30a7/Hb0ysfeqJ63f8sQEqLtrfjPYO0IRoaPvL/RXxXrO2nV RMmLVeeho6GHk0LqubfA8gzZ1Vu9Rfag1EMMNy6ZkvdHNJm8sSaec90tn59aPLUP taBe5d4Ji6tlpJu2ez75A6tmt3JMDrQ6crfN5eZ0ISAGHwWHN9SPDhAcVcGBZrKQ QQaKIcQ2gVbGcnO3lOCY4MkxgyCiJX+MepnWOpvB2pyv4ftJLv7rxfOQ3Z/3yewS GRfwrT+AW/i1jcW/C+c5sLZPGFtG8gBXPwUj2CYbAGI74eFhGk6Ksu3f2qxFOVDM IJdiBJatEYojN64Gzap2nzZfhUHPqOnBeI/cL+Z/YbakUuIAcva3o1UuOLvGg+Fo 9kFdPLDXRhPOqMywdDUAEQEAAYkCHwQYAQgACQUCUAj9HAIbDAAKCRCa9GswJXcb MZubEAC8GzMcU5CVNqDGOHiStowzKgU3njez9aYa70Gsmtm62WPkJSTVw7Nw6wfC val84JLqy0wL8tq90px0du/Ep7lE3laKlhREXiDLFGTccLH2XzK9CcnRygqjhPV9 yTY7YGorNbYKpwwgL889Ld6dhXlwDfR4PmvEKZjzqdhwDAXWsivkMYsEwC3oKC1m Ra3Nzf/oHUNrPwKSW55EKswc88u+T7553BUpGMyp2lktuA6jFSgbal3KdA0Ipbr7 C8elt7IapSz03MjcGTfVvnax5M8m/6dejdjKjGi8UFpaTbIiufQw8gpCFJhwRMpK MzU9qmDwOpeg5yL+a/k41wvBEZx4hHHkpcMfTF9vigZb+h8WHgwN/Zu+mCS84MyS g/oGwYs0flIPi/FJ9KrcMJFzB+d8YNYdx1mZaxY1b2gs4RtmTrhhRXbdcNeHNEH4 xHaRhSfDGW8UFuFVY4LKz4iF/mnoo6jMXds2HLKz7OaEneDbeDlZc8EViXvOtL7Q 8nS7ta8cWLCDd9n42hzf6Dw+dq4B/OLVJTFYGMrhouA6xr3GzhgcgAeUmFEPoBbU fX5Gy108fh4YQh1w+QsJxznorI+2rqOD1RxG2dxxBlHKSfDbY4gT35U4SrSfV6rW P6TFT0JSxqgibbegXJUN0jSUL4HibtLXHS2/vpV/wTceVaGB/g== =uwZl -----END PGP PUBLIC KEY BLOCK----- --=_r8R1oQdSeDPLubTIopsEcQ2-- --=_-HPAsd1VjEw3c0uBC1fU2A1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAABAgAGBQJSb6u+AAoJEJr0azAldxsx8VIP/jkecyXFhDCW5fDUdbcNbF1q X2JSIq3OjlyLKUNydS49BKgsIzpRlxeEskd1QNt0S1ZYLceiojZ/tzcsJlN/dipl OaI3/Wrtn4pcE90shOkOj/60vJo7LCKh/4JUcHbW5GcJjAmxv4L2Z+2N/N/ZAU6s A/xgKfH415+1cFKvDFM7rALpCvXueDetVlaMjQQHzNVZsS/LGMefYd1N7grvtFB9 HJNRbVWu6g7sKbEl5rr7/j5rFNiNj37f2VOoKuuPz65ndsLI25K4T+vQZfBZtHQa UL18Cg9PpqKoW2b3fAcWWPGWARBuzG/pDkGRb3jGvsbeThF/N5bdf5yV16i6Vqh2 CZl1x0RzmR0IWBE5fZRrGQAukFLZ+xCreqDGP8GNwVz5mK4ZOAilYOUN8FgXpzID O1R7iRtlKZmcmFDjj1O0wnqKK64beYeiVImvGluf8r1esnidwrzwWG5F9nNs7iNt f2Q1G52DnVXLd2GnReisn2qI9BMnNAMt90Ni6NiDHUho49kutK4E+D++4r3MjotS QCxoBaFNq4bQMCaA01WdnPwEUZAAUIgd/3kuWgD7k3aoEeo6sdNHqs/dw153m25m eCmjjoJSKZaqoqYowykg3N2K1aNDICeXz46K04m8Ssrbw8EwLloYELOfi8Veon48 mXEvyNY/9w/+SAYIonNB =gkuH -----END PGP SIGNATURE----- --=_-HPAsd1VjEw3c0uBC1fU2A1--