Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#205 closed defect (notabug)

winswitch server restarts xpra session and adds --bind-tcp=0.0.0.0:<port> [was security risk..]

Reported by: Optionator Owned by: Antoine Martin
Priority: critical Milestone:
Component: Server Keywords: security risk xpra winswitch
Cc:

Description

starting an xpra session manually and then remotely connecting to it with the winswitch cleint for Windows results in change of xpra session to use --bind-tcp=0.0.0.0:<port>, which is a "major security risk" (xpra(1)).

Reproduction steps:

In the remote host run

$ ps aux | grep winswitch # no winswitch_server running
$ ps aux | grep xpra # no xpra running
$ xpra start :666
$ ps aux | grep xpra # see the command line and PID
1000     18905  2.5  0.2 188412 21976 ?        S    21:26   0:00 /usr/bin/python /usr/bin/xpra start :666

Now run the Window Switch client for Windows and connect to that remote host using ssh tunneling. It will show an "unknown" session. You won´t even need to resume it via the tray icon, the damage is already done:

On the remote host again:

$ ps aux | grep xpra
1000     19549  0.1  0.2 213020 23404 ?        S    21:32   0:00 /usr/bin/python /usr/bin/xpra --bind-tcp=0.0.0.0:15061 --password-file=/home/ocm-admin/.winswitch/server/sessions/666/session.pass --no-daemon --no-pulseaudio --session-name=unknown start :666 --use-display

$ ps aux | grep winsw
1000     19479  0.1  0.1 101708 15536 ?        Ss   21:31   0:00 /usr/bin/python /usr/bin/winswitch_stdio_socket
1000     19485  0.2  0.0      0     0 ?        Z    21:32   0:00 [winswitch_serve] <defunct>
1000     19533  0.2  0.3 323548 29688 ?        S    21:32   0:00 /usr/bin/python /usr/bin/winswitch_server --daemon
1000     19549  0.1  0.2 213020 23404 ?        S    21:32   0:00 /usr/bin/python /usr/bin/xpra --bind-tcp=0.0.0.0:15061 --password-file=/home/ocm-admin/.winswitch/server/sessions/666/session.pass --no-daemon --no-pulseaudio --session-name=unknown start :666 --use-display

$ netstat --inet -nlp 2>/dev/null | grep 19549
tcp        0      0 0.0.0.0:15061           0.0.0.0:*               LISTEN      19549/python

So there you are, apparently winswitch_server restarted xpra, see the different PIDs, and now it is listening on all IPs. Found no documentation about this, just stumbled upon it. No obvious way to change it in any config files. Plus this should never be the default behaviour!

For some more info, I am using Debian squeeze/stable and have installed from the official winswitch.org repository.

$ cat /etc/debian_version
6.0.5
$ apt-cache policy winswitch xpra
winswitch:
  Installiert: 0.12.14-1
  Kandidat:    0.12.14-1
  Versionstabelle:
 *** 0.12.14-1 0
        990 http://winswitch.org/ squeeze/main amd64 Packages
        100 /var/lib/dpkg/status
xpra:
  Installiert: 0.3.2-2
  Kandidat:    0.3.2-2
  Versionstabelle:
 *** 0.3.2-2 0
        990 http://winswitch.org/ squeeze/main amd64 Packages
        100 /var/lib/dpkg/status
$ winswitch_server --version
winswitch version 0.12.14
Release Build
Built on winswitch.org by root on the 2012-06-04
SVN revision unknown with unknown local modifications
$ xpra --version
xpra v0.3.2

I did not change any config files on the remote host.

The windows client version is:
Window Switch 0.12.14
Built on xp-pro by XP_Pro. 2012-06-04 (release build)
(svn revision 4908 with 0 local changes)

if the client version matters at all, this should clearly be changed on the server.

Change History (2)

comment:1 Changed 7 years ago by Antoine Martin

Resolution: notabug
Status: newclosed
Summary: Security risk enforced by winswitch server - xpra --bind-tcp=0.0.0.0:<port>winswitch server restarts xpra session and adds --bind-tcp=0.0.0.0:<port> [was security risk..]

"major security risk"

That was not entirely correct (that was written before the --password-file option was added..), the man page has been updated (thanks for spotting that): xpra r992


No obvious way to change it in any config files

$ grep external ~/.winswitch/server/protocols/xpra.conf 
# when we find xpra sessions started externally, restart them so they can be used with winswitch
capture_external_sessions=False

This feature was added in r4764, part of this feature request is covered in #172 (ask pmarek for more details)


Since you use ssh, you probably have a firewall, and if you don't then the only risk you run is that someone will DoS the tcp port (iirc 20 concurrent connections limit) - which means you are in a hostile environment and should have a firewall...


If you set ssh_tunnel=True in your .winswitch/server/server.conf, then the sessions should have the tunnel flag set on them and they will only listen on localhost and not 0.0.0.0. If not, then that is a bug.

comment:2 Changed 7 years ago by Optionator

Thanks for clearing things up. ;)

Note: See TracTickets for help on using tickets.