X2Go Bug report logs -
#1597
Possible security vulnerability: x2goclient crashes calling ssh-keygen due to unsanitized arguments
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>
:
Bug#1597
; Package x2goclient
.
(Tue, 31 Jan 2023 19:25:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "Peter O'Regan" <peteroregan@gmail.com>
:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>
.
(Tue, 31 Jan 2023 19:25:02 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: x2goclient
Version: 4.1.2.2-2020.02.13
x2goclient assumes the path to its application data directory does not have
any spaces or single-quotes, but these are legal path directories for users
on Windows systems. As a result, if the path to the x2go directory contains
spaces or apostrophes (C:/Users/O'Regan, for instance), the call will fail.
I have experienced this error and can reproduce the failure behavior by
calling ssh-keygen from the terminal.
The fix, I think, is to add double quotes to open and close the
"private_key_file" string sent to ssh-keygen on onmainwindow.cpp, line
11353, or to apply a dedicated sanitization function.
Testing in the terminal:
ssh-keygen -f C:\Users\O'Regan\.x2go\etc\mykeyfile will fail.
ssh-keygen -f "C:\Users\O'Regan\.x2go\etc\mykeyfile" will succeed.
There may be other places/program calls that also need sanitizing.
This is also potentially security issue since it lets the program caller
influence what arguments are sent to generate an SSH key by altering the
"HOME" environment variable queried by qt in line 185 from
QDir::homePath(). (I'm not sure how easy it is to change this or related
environment variables mid-session, but I imagine it might be possible). The
path appears as the final argument to ssh-keygen, so it will also overrule
the preceding arguments. For instance, I could reduce the bit count for the
key or key type to make the credential easier to brute-force.
I am using Windows 11.
Thank you,
Peter
[Message part 2 (text/html, inline)]
Send a report that this bug log contains spam.
X2Go Developers <owner@bugs.x2go.org>.
Last modified:
Thu Nov 21 12:09:58 2024;
Machine Name:
ymir.das-netzwerkteam.de
X2Go Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.