X2Go Bug report logs - #333
users can inject data into X2Go Client using .bashrc

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: "Dan Halbert" <halbert@halwitz.org>

Date: Mon, 21 Oct 2013 12:48:02 UTC

Severity: grave

Tags: confirmed, pending

Found in version 4.0.0.3

Fixed in version 4.0.1.2

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log

Message #33 received at 333@bugs.x2go.org (full text, mbox, reply):

Received: (at 333) by bugs.x2go.org; 29 Oct 2013 12:36:16 +0000
From mike.gabriel@das-netzwerkteam.de  Tue Oct 29 13:36:15 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED
	autolearn=ham version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir (Postfix) with ESMTPS id 6B11C5DA6C
	for <333@bugs.x2go.org>; Tue, 29 Oct 2013 13:36:15 +0100 (CET)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 2C0ABBBE
	for <333@bugs.x2go.org>; Tue, 29 Oct 2013 13:36:15 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 16D653BB58
	for <333@bugs.x2go.org>; Tue, 29 Oct 2013 13:36:15 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id cSJY7mw+I1iB for <333@bugs.x2go.org>;
	Tue, 29 Oct 2013 13:36:15 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id DB3013BB68
	for <333@bugs.x2go.org>; Tue, 29 Oct 2013 13:36:14 +0100 (CET)
Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id AFAFE3BB58
	for <333@bugs.x2go.org>; Tue, 29 Oct 2013 13:36:14 +0100 (CET)
Received: from m-047.informatik.uni-kiel.de (m-047.informatik.uni-kiel.de
 [134.245.254.47]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP;
 Tue, 29 Oct 2013 12:36:14 +0000
Date: Tue, 29 Oct 2013 12:36:14 +0000
Message-ID: <20131029123614.Horde.P9zSu3_8i0FBDAWAhaTBkg4@mail.das-netzwerkteam.de>
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 333@bugs.x2go.org
Subject: Users can inject arbitrary data into X2Go Client via .bashrc
User-Agent: Internet Messaging Program (IMP) H5 (6.1.4)
Accept-Language: en,de
Organization: DAS-NETZWERKTEAM
X-Originating-IP: 134.245.254.47
X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101
 Firefox/23.0 Iceweasel/23.0
Content-Type: multipart/signed; boundary="=_-HPAsd1VjEw3c0uBC1fU2A1";
 protocol="application/pgp-signature"; micalg=pgp-sha1
MIME-Version: 1.0

[Message part 1 (text/plain, inline)]
Hi All,

Dan Halbert made me aware of it being easily possible to inject  
arbitrary data into X2Go Client via the server-side .bashrc file. This  
surely is a security problem in X2Go.

Thus, I found that we really need to do some sanity checks on incoming  
output from X2Go Servers to avoid such injections.

The idea is to invoke the server-side command with a UUID hash before  
and after the actuall command invocation:

1. execute server-side command from X2Go Client:

ssh <user>@<server> sh -c "echo <uuidhash> && <x2gocmd> && echo <uuidhash>

2. read data from X2Go Server:

X2GODATABEGIN:<uuidhash>
<x2godata_line1>
<x2godata_line2>
....
<x2godata_lineN>
X2GODATAEND:<uuidhash>

3. cut out the X2Go data returned by the server (in C++):

      QString begin_marker = "X2GODATABEGIN:"+uuid+"\n";
      QString end_marker = "X2GODATAEND:"+uuid+"\n";
      int output_begin=stdOutString.indexOf(begin_marker) + \\
                       begin_marker.length();
      int output_end=stdOutString.indexOf(end_marker);
      output = stdOutString.mid(output_begin, \\
                                output_end-output_begin);


I have a patch locally for this and will commit it in a minute. We can  
discuss the patch and move on from there when it's there.

Unfortunately, this patch does not fix #327 as it is impossible to use  
scp with echoing .bashrc files. With this patch applied, the session  
starts, but setting up the SSHfs shares fails with locking up X2Go  
Client.

For people who depend on echoing .bashrc files, please read my last  
post on #327.

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

[Message part 2 (application/pgp-keys, inline)]
[Message part 3 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Apr 18 14:33:11 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.