Security Advisory

x2gowebrpc Unauthenticated OS Command Injection

By exploiting an argument injection, unauthenticated attackers are able to execute arbitrary OS commands.

Advisory ID: MLSA-2023-001
CVE: None
CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: critical
Affected versions: all versions
Fixed versions: unfixed
Discovered by: Hans-Martin Münch

Product description

The x2gorpc.cgi CGI script connects to the X2Go server using SSH and starts sessions, resumes sessions, starts SSH tunnels and so on in response to requests from the browser. This involves using SSH to run x2golistsessions, run x2gostartagent, start a tunnel using SSH’s -N and -L arguments, run x2goruncommand, and run x2gowswrapper.

Details

When a X2Go session is started, the x2gorpc.cgi script executes a SSH command with user controlled arguments. The command line arguments for the SSH command are defined on top of the script. Within the advanced settings, the HTML client allows users to define a proxy server. If this option is selected, the SSH command is using a ProxyCommand argument, which contains a SSH command itself. Within the ProxyCommand, attackers controlled variables “$proxyuser” and “$proxy” are used:

 1
 2$action = $q->param('action');
 3$user = $q->param('user');
 4$pass = $q->param('pass');
 5$server = $q->param('server');
 6$proxy=$q->param('proxy');
 7$proxyuser=$q->param('proxyuser');
 8$proxypass=$q->param('proxypass');
 9
10my @sshparams;
11
12if($proxy)
13{
14   @sshparams=('-o', 'UserKnownHostsFile=/dev/null', '-o', "ProxyCommand=ssh -W %h:%p -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no  -l $proxyuser $proxy", '-o', 'StrictHostKeyChecking=no',   '-l', "$user", "$server");
15}
16else
17{
18   @sshparams=('-o', 'StrictHostKeyChecking=no', '-o', 'UserKnownHostsFile=/dev/null',  '-l', "$user", "$server");
19}

Note that the user controlled command line arguments for the ProxyCommand are not passed as an array, but concatinated within the command. This makes the command vulnerable to argument injection, allowing to pass additional arguments to the second ssh call. Adversaries can abuse this to add their own “ProxyCommand” argument to the call and execute arbitrary OS commands.

Workarounds

Comment out proxy support within the CGI script.

Coordinated Disclosure Timeline

  • 02/01/2023 Initial contact to the x2go developer mailing list, asking for a security contact
  • 02/01/2023 Auto-Response from the mailing list, saying that my message needs approval
  • 24/01/2023 Response from the mailing list, saying that my message will be holded back until I subscribe to the list
  • 26/01/2023 Contact from the x2go developers asking for vulnerability details
  • 26/01/2023 Response from MOGWAI LABS, sending details, including a Proof of Concept exploit, asking if they will request a CVE
  • 26/01/2023 Response from x2go, saying that this product is still in development, thus no CVE will be requested
  • 26/01/2023 Response from x2go, saying that the developer will have a look and an warning was added to the web client