X2Go Bug report logs - #335
Users can inject arbitrary data into Pyhoca-GUI via .bashrc

version graph

Package: python-x2go; Maintainer for python-x2go is X2Go Developers <x2go-dev@lists.x2go.org>; Source for python-x2go is src:python-x2go.

Reported by: "Dan Halbert" <halbert@halwitz.org>

Date: Mon, 21 Oct 2013 12:48:02 UTC

Severity: grave

Tags: confirmed, pending

Fixed in version 0.4.0.9

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


Message #60 received at 333@bugs.x2go.org (full text, mbox, reply):

Received: (at 333) by bugs.x2go.org; 29 Oct 2013 13:41:49 +0000
From mike.gabriel@das-netzwerkteam.de  Tue Oct 29 14:41:48 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED
	autolearn=ham version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir (Postfix) with ESMTPS id 979A05DA6C;
	Tue, 29 Oct 2013 14:41:48 +0100 (CET)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 5E0021333;
	Tue, 29 Oct 2013 14:41:48 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 36D053BB58;
	Tue, 29 Oct 2013 14:41:48 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id LdvFXATQckzD; Tue, 29 Oct 2013 14:41:48 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 147C53BB68;
	Tue, 29 Oct 2013 14:41:48 +0100 (CET)
Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id DAE133BB58;
	Tue, 29 Oct 2013 14:41:47 +0100 (CET)
Received: from m-047.informatik.uni-kiel.de (m-047.informatik.uni-kiel.de
 [134.245.254.47]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP;
 Tue, 29 Oct 2013 13:41:47 +0000
Date: Tue, 29 Oct 2013 13:41:47 +0000
Message-ID: <20131029134147.Horde.pdvnenhY0dXSzSektCXoKg9@mail.das-netzwerkteam.de>
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 333@bugs.x2go.org, control@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#333: Users can inject arbitrary data into X2Go
 Client via .bashrc
References: <20131029123614.Horde.P9zSu3_8i0FBDAWAhaTBkg4@mail.das-netzwerkteam.de>
In-Reply-To: <20131029123614.Horde.P9zSu3_8i0FBDAWAhaTBkg4@mail.das-netzwerkteam.de>
User-Agent: Internet Messaging Program (IMP) H5 (6.1.4)
Accept-Language: en,de
Organization: DAS-NETZWERKTEAM
X-Originating-IP: 134.245.254.47
X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101
 Firefox/23.0 Iceweasel/23.0
Content-Type: multipart/signed; boundary="=_US6nxoH-O34Mp1XllffN3g1";
 protocol="application/pgp-signature"; micalg=pgp-sha1
MIME-Version: 1.0
[Message part 1 (text/plain, inline)]
clone #333 -1
reassign -1 python-x2go
retitle -1 Users can inject arbitrary data into Pyhoca-GUI via .bashrc
thanks

Hi All,

On  Di 29 Okt 2013 13:36:14 CET, Mike Gabriel wrote:

> Hi All,
>
> Dan Halbert made me aware of it being easily possible to inject  
> arbitrary data into X2Go Client via the server-side .bashrc file.  
> This surely is a security problem in X2Go.
>
> Thus, I found that we really need to do some sanity checks on  
> incoming output from X2Go Servers to avoid such injections.
>
> The idea is to invoke the server-side command with a UUID hash  
> before and after the actuall command invocation:
>
> 1. execute server-side command from X2Go Client:
>
> ssh <user>@<server> sh -c "echo <uuidhash> && <x2gocmd> && echo <uuidhash>
>
> 2. read data from X2Go Server:
>
> X2GODATABEGIN:<uuidhash>
> <x2godata_line1>
> <x2godata_line2>
> ....
> <x2godata_lineN>
> X2GODATAEND:<uuidhash>
>
> 3. cut out the X2Go data returned by the server (in C++):
>
>       QString begin_marker = "X2GODATABEGIN:"+uuid+"\n";
>       QString end_marker = "X2GODATAEND:"+uuid+"\n";
>       int output_begin=stdOutString.indexOf(begin_marker) + \\
>                        begin_marker.length();
>       int output_end=stdOutString.indexOf(end_marker);
>       output = stdOutString.mid(output_begin, \\
>                                 output_end-output_begin);
>
>
> I have a patch locally for this and will commit it in a minute. We  
> can discuss the patch and move on from there when it's there.
>
> Unfortunately, this patch does not fix #327 as it is impossible to  
> use scp with echoing .bashrc files. With this patch applied, the  
> session starts, but setting up the SSHfs shares fails with locking  
> up X2Go Client.
>
> For people who depend on echoing .bashrc files, please read my last  
> post on #327.
>
> Mike

This actually also applies to Python X2Go.

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-keys, inline)]
[Message part 3 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Mar 28 13:24:09 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.