X2Go Bug report logs - #335
Users can inject arbitrary data into Pyhoca-GUI via .bashrc

version graph

Package: python-x2go; Maintainer for python-x2go is X2Go Developers <x2go-dev@lists.x2go.org>; Source for python-x2go is src:python-x2go.

Reported by: "Dan Halbert" <halbert@halwitz.org>

Date: Mon, 21 Oct 2013 12:48:02 UTC

Severity: grave

Tags: confirmed, pending

Fixed in version 0.4.0.9

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


Message #55 received at 333@bugs.x2go.org (full text, mbox, reply):

Received: (at 333) by bugs.x2go.org; 29 Oct 2013 13:15:50 +0000
From mike.gabriel@das-netzwerkteam.de  Tue Oct 29 14:15:50 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED
	autolearn=ham version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir (Postfix) with ESMTPS id 1A2635DA6C
	for <333@bugs.x2go.org>; Tue, 29 Oct 2013 14:15:50 +0100 (CET)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 359BD1A54
	for <333@bugs.x2go.org>; Tue, 29 Oct 2013 14:15:49 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id B85E63BA6D
	for <333@bugs.x2go.org>; Tue, 29 Oct 2013 14:15:48 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id WN8xs4Ap8BT3 for <333@bugs.x2go.org>;
	Tue, 29 Oct 2013 14:15:48 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 89AD43BB68
	for <333@bugs.x2go.org>; Tue, 29 Oct 2013 14:15:48 +0100 (CET)
Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id 386FA3BA6D;
	Tue, 29 Oct 2013 14:15:48 +0100 (CET)
Received: from m-047.informatik.uni-kiel.de (m-047.informatik.uni-kiel.de
 [134.245.254.47]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP;
 Tue, 29 Oct 2013 13:15:48 +0000
Date: Tue, 29 Oct 2013 13:15:48 +0000
Message-ID: <20131029131548.Horde.CWdPSTcHA3SBHPz5HBqibQ8@mail.das-netzwerkteam.de>
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Dan Halbert <halbert@halwitz.org>
Cc: 333@bugs.x2go.org
Subject: Re: Bug#333: X2Go issue (in src:x2goclient) has been marked as
 pending for release
References: <20131029123733.54E955DB18@ymir> <526FB132.7060505@halwitz.org>
In-Reply-To: <526FB132.7060505@halwitz.org>
User-Agent: Internet Messaging Program (IMP) H5 (6.1.4)
Accept-Language: en,de
Organization: DAS-NETZWERKTEAM
X-Originating-IP: 134.245.254.47
X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101
 Firefox/23.0 Iceweasel/23.0
Content-Type: multipart/signed; boundary="=_PYbWfibJkTCC947zmfFVqg2";
 protocol="application/pgp-signature"; micalg=pgp-sha1
MIME-Version: 1.0
[Message part 1 (text/plain, inline)]
Hi Dan,

On  Di 29 Okt 2013 13:59:30 CET, Dan Halbert wrote:

> Hi Mike, this fix to authenticate the commands is good. I didn't  
> realize I was uncovering a security problem.
>
> One question: the underlying crash was due to bad data. If  
> authenticated but still bad data is sent, will the client still  
> crash? I am thinking about a malicious server crafting something to  
> crash the client or have it do something bad. I looked at the code  
> diff and I didn't see some underlying verification of the x2go  
> commands.
>
> E.g.:
> X2GODATABEGIN:<good-uuidhash>
> bad data here
> X2GODATAEND:<good-uuidhash>

I would indeed call this work in progress. See #334 for the ,,bad data  
here'' location you address above.

We surely need a means to ensure that the data sent over the wire is  
sane. An idea could be to encrypt/decrypt the data asymmetrically.  
Maybe something else...

Hmmm...

I don't think that evaluating the data in itself (via regexp e.g.)  
will lead to good results. We should invent a method that is common to  
all sorts of text data and makes sure that the data is for the client  
that requested it.

On the other hand... If you cannot trust your admin, who can you trust???

Any contribution of ideas is welcome.

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-keys, inline)]
[Message part 3 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Mon Jan 27 20:26:22 2020; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.