X2Go server remote code execution

2013.09.25
Credit: Mike Gabriel
Risk: High
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Hi all, I couldn't find a CVE, so I would like to request one for a vulnerability in X2Go Server. The vendor reported an issue where a remote user could execute arbitrary code as the x2go user, apparently by leveraging a setgid executable which did not have a hardcoded path to "libx2go-server-db-sqlite3-wrapper.pl". [1] is the commit fixing the vulnerable code, [2] is the upstream release announcement. Thanks, Chris Reffett [1] http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=42264c88d7885474ebe3763b2991681ddfcfa69a [2] https://lists.berlios.de/pipermail/x2go-announcement/2013-May/000125.html diff --git a/debian/changelog b/debian/changelog index e30e866..4922ddb 100644 (file) --- a/debian/changelog +++ b/debian/changelog @@ -38,6 +38,9 @@ x2goserver (4.1.0.0-0~x2go1) UNRELEASED; urgency=low script is called without session as first argument and $X2GO_SESSION not set. (Fixes: #82). * Make x2goruncommand aware of the Cinnamon desktop shell. (Fixes: #117). + * Security fix for setgid wrapper libx2go-server-db-sqlite3-wrapper.c. Hard- + code path to libx2go-server-db-sqlite3-wrapper.pl during build via + defining a macro in the Makefile. [ Otto Kjell ] * New upstream version (4.1.0.0): diff --git a/debian/rules b/debian/rules index 43139c0..b671ca3 100755 (executable) --- a/debian/rules +++ b/debian/rules @@ -1,10 +1,10 @@ #!/usr/bin/make -f %: - dh $@ + PREFIX=/usr dh $@ override_dh_auto_build: - PERL_INSTALLDIRS=vendor dh_auto_build + PREFIX=/usr PERL_INSTALLDIRS=vendor dh_auto_build override_dh_auto_install: $(MAKE) -f Makefile build-arch diff --git a/libx2go-server-db-perl/Makefile b/libx2go-server-db-perl/Makefile index 67767b8..459e485 100755 (executable) --- a/libx2go-server-db-perl/Makefile +++ b/libx2go-server-db-perl/Makefile @@ -39,7 +39,8 @@ all: clean build build: build-arch build-indep build-arch: - $(CC) $(CFLAGS) $(LDFLAGS) -o lib/libx2go-server-db-sqlite3-wrapper src/libx2go-server-db-sqlite3-wrapper.c + echo $(PREFIX) + $(CC) $(CFLAGS) $(LDFLAGS) -DTRUSTED_BINARY=\"$(DESTDIR)$(LIBDIR)/libx2go-server-db-sqlite3-wrapper.pl\" -o lib/libx2go-server-db-sqlite3-wrapper src/libx2go-server-db-sqlite3-wrapper.c build-indep: diff --git a/libx2go-server-db-perl/src/libx2go-server-db-sqlite3-wrapper.c b/libx2go-server-db-perl/src/libx2go-server-db-sqlite3-wrapper.c index fcff47e..093abfd 100644 (file) --- a/libx2go-server-db-perl/src/libx2go-server-db-sqlite3-wrapper.c +++ b/libx2go-server-db-perl/src/libx2go-server-db-sqlite3-wrapper.c @@ -28,51 +28,11 @@ #include <errno.h> int main( int argc, char *argv[] ) { - char * x2gosqlitewrapper = NULL; - size_t path_max; - -/* - The following snippet is taken from the realpath manpage -*/ -#ifdef PATH_MAX - path_max = PATH_MAX; -#else - path_max = pathconf (".", _PC_PATH_MAX); - if (path_max <= 0){ - path_max = 4096; - } -#endif - { - // allocate dynamic buffer in stack: this needs C99 or gnu?? - char buffer[path_max]; - ssize_t rvrl; - int rvap; - - // resolve link of /proc/self/exe to find out where we are - rvrl = readlink("/proc/self/exe", buffer, path_max); - if(rvrl == -1){ - perror("readlink(\"/proc/self/exe\",buffer,path_max)"); - exit(EXIT_FAILURE); - } - if(rvrl >= path_max){ - fprintf(stderr, "Could not resolve the path of this file using \"/proc/self/exe\". The path is too long (> %i)", path_max); - exit(EXIT_FAILURE); - } - - // derive the full path of libx2go-server-db-sqlite3-wrapper.pl from path of this binary - rvap = asprintf(&x2gosqlitewrapper, "%s/%s", dirname(buffer), "libx2go-server-db-sqlite3-wrapper.pl"); - if(rvap == -1){ - fprintf(stderr, "Failed to allocate memory calling asprintf\n"); - exit(EXIT_FAILURE); - } - - // execute the script, running with user-rights of this binary - execv(x2gosqlitewrapper, argv); - } + char x2gosqlitewrapper[] = TRUSTED_BINARY; - // ...fail - fprintf(stderr, "Failed to execute %s: %s\n", x2gosqlitewrapper, strerror(errno)); - return EXIT_FAILURE; + argv[0] = "libx2go-server-db-sqlite3-wrapper.pl"; + // execute the script, running with user-rights of this binary + execv(x2gosqlitewrapper, argv); }

References:

http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=42264c88d7885474ebe3763b2991681ddfcfa69a
https://lists.berlios.de/pipermail/x2go-announcement/2013-May/000125.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top