From unknown Fri Mar 29 10:38:32 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#773: DirectRDP: X2Go Client reveals user password in process list if xfreerdp is used Reply-To: Mike Gabriel , 773@bugs.x2go.org Resent-From: Mike Gabriel Resent-To: x2go-dev@lists.x2go.org Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Thu, 29 Jan 2015 12:15:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: report 773 X-X2Go-PR-Package: x2goclient X-X2Go-PR-Keywords: Received: via spool by submit@bugs.x2go.org id=B.14225334576632 (code B); Thu, 29 Jan 2015 12:15:01 +0000 Received: (at submit) by bugs.x2go.org; 29 Jan 2015 12:10:57 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id BBD193BC72 for ; Thu, 29 Jan 2015 13:10:55 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 6D51A2FC for ; Thu, 29 Jan 2015 13:10:55 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 3EC7B3C095 for ; Thu, 29 Jan 2015 13:10:55 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XhNWDTtlCQMv for ; Thu, 29 Jan 2015 13:10:55 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id DEC7D3C051 for ; Thu, 29 Jan 2015 13:10:54 +0100 (CET) Received: from bifrost.das-netzwerkteam.de (bifrost.das-netzwerkteam.de [178.62.101.154]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Thu, 29 Jan 2015 12:10:54 +0000 Date: Thu, 29 Jan 2015 12:10:54 +0000 Message-ID: <20150129121054.Horde.CM1lx2L_ybSEiqc7NkNzhw3@mail.das-netzwerkteam.de> From: Mike Gabriel To: submit@bugs.x2go.org User-Agent: Internet Messaging Program (IMP) H5 (6.2.2) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 178.62.101.154 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 Iceweasel/32.0 Content-Type: multipart/signed; boundary="=_t6l2H1my2ZI_HcAZEwv1kQ1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_t6l2H1my2ZI_HcAZEwv1kQ1 Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: x2goclient Severity: grave When a users uses X2Go Client for directly accessing an RDP Server,=20=20 then=20one can use the DirectRDP feature. The DirectRDP features allows wrapping around the rdesktop command or=20=20 the=20xfreerdp command. With both wrapper modes, the password is given to the RDP client=20=20 application=20on the command line. With rdesktop, the command line ($@) gets rewritten for the process=20=20 list=20and the password is replaced by XXXXXXXX. With xfreerdp, the command line stays as is and reveals the RDP user's=20= =20 password=20on the process list of the machine that X2Go Client runs on. The FreeRDP people have added a command line option --from-stdin to=20=20 xfreerdp=201.0.x for this purpose, that may be an option using in X2Go=20= =20 Client.=20However, I am not sure, if this option survived in xfreerdp=20=20 1.1.x=20or later (it is not on the xfreerdp man page for=20=20 1.1.0~git=20as shipped with Debian jessie. Mike --=20 DAS-NETZWERKTEAM mike=20gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x= fb --=_t6l2H1my2ZI_HcAZEwv1kQ1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJUyiNOAAoJEJr0azAldxsxFxsQAJmfru7NVvZ9N70rYx69NjSP 9IazEIVAsG/fQTdR8LKU/p4p4f/XP2cFOoi11zc733EtgSHTOKkGpp2mWP+BEbeV yCicbccMH54eaawSdbAXIqhZh/KfCLwc6RbLrWt33zxmX6yj7tKkhjNpmS36quGs RLGnNndWEAUMGtV6CJy5vmQ8PCrEn8x057m47l7CwKsHSZg8qzETLKePv98Vao19 /6lLALbPVpL3wocR+yHo6nGXoj4qFogVMJb4rniAEM0td/155uCvMYBSZES4uaHD 2qOYBIpVkgX5Cft0xh0CAUT/o6uyyfQ8XO89vRv7YPW+BUc6xlOzBgvm5F0EWllI JpExHf1nXnKvI7jJ1quEbWrCzaXN4nE/eEZNDas6iGqct/r6NcDpFJZHkpCap+Ct CUcrMMM8ADibYUMGKmrjCWvwXTj2RVQEDDsDoPu+WKWC9xOJ+9aC26brIR1KkNM3 pMFxPmcJixRm0Uw5k0xaeBMZ7tGnUIio0dvdIm/EVzxgG9EKeRJ7xTy9IZZ/J9rv NPw3w0Kys+kHneaflQ2V9zPD42c5gGzvoV84t+JPjzGAqrCylc/tDZe6/xE8O23f C0dhOT6nS3D2xa3Ls7eLyTCC9wbTaAHyuF6FMqJGpsB3b4ZjhR5pcMju0DZhFSyj em+p6UE5fEf2wb80aHJ0 =LNR4 -----END PGP SIGNATURE----- --=_t6l2H1my2ZI_HcAZEwv1kQ1--