#205 closed defect (notabug)
winswitch server restarts xpra session and adds --bind-tcp=0.0.0.0:<port> [was security risk..]
Reported by: | Optionator | Owned by: | Antoine Martin |
---|---|---|---|
Priority: | critical | Milestone: | |
Component: | Server | Keywords: | security risk xpra winswitch |
Cc: |
Description
starting an xpra session manually and then remotely connecting to it with the winswitch cleint for Windows results in change of xpra session to use --bind-tcp=0.0.0.0:<port>, which is a "major security risk" (xpra(1)).
Reproduction steps:
In the remote host run
$ ps aux | grep winswitch # no winswitch_server running $ ps aux | grep xpra # no xpra running $ xpra start :666 $ ps aux | grep xpra # see the command line and PID 1000 18905 2.5 0.2 188412 21976 ? S 21:26 0:00 /usr/bin/python /usr/bin/xpra start :666
Now run the Window Switch client for Windows and connect to that remote host using ssh tunneling. It will show an "unknown" session. You won´t even need to resume it via the tray icon, the damage is already done:
On the remote host again:
$ ps aux | grep xpra 1000 19549 0.1 0.2 213020 23404 ? S 21:32 0:00 /usr/bin/python /usr/bin/xpra --bind-tcp=0.0.0.0:15061 --password-file=/home/ocm-admin/.winswitch/server/sessions/666/session.pass --no-daemon --no-pulseaudio --session-name=unknown start :666 --use-display $ ps aux | grep winsw 1000 19479 0.1 0.1 101708 15536 ? Ss 21:31 0:00 /usr/bin/python /usr/bin/winswitch_stdio_socket 1000 19485 0.2 0.0 0 0 ? Z 21:32 0:00 [winswitch_serve] <defunct> 1000 19533 0.2 0.3 323548 29688 ? S 21:32 0:00 /usr/bin/python /usr/bin/winswitch_server --daemon 1000 19549 0.1 0.2 213020 23404 ? S 21:32 0:00 /usr/bin/python /usr/bin/xpra --bind-tcp=0.0.0.0:15061 --password-file=/home/ocm-admin/.winswitch/server/sessions/666/session.pass --no-daemon --no-pulseaudio --session-name=unknown start :666 --use-display $ netstat --inet -nlp 2>/dev/null | grep 19549 tcp 0 0 0.0.0.0:15061 0.0.0.0:* LISTEN 19549/python
So there you are, apparently winswitch_server restarted xpra, see the different PIDs, and now it is listening on all IPs. Found no documentation about this, just stumbled upon it. No obvious way to change it in any config files. Plus this should never be the default behaviour!
For some more info, I am using Debian squeeze/stable and have installed from the official winswitch.org repository.
$ cat /etc/debian_version 6.0.5 $ apt-cache policy winswitch xpra winswitch: Installiert: 0.12.14-1 Kandidat: 0.12.14-1 Versionstabelle: *** 0.12.14-1 0 990 http://winswitch.org/ squeeze/main amd64 Packages 100 /var/lib/dpkg/status xpra: Installiert: 0.3.2-2 Kandidat: 0.3.2-2 Versionstabelle: *** 0.3.2-2 0 990 http://winswitch.org/ squeeze/main amd64 Packages 100 /var/lib/dpkg/status $ winswitch_server --version winswitch version 0.12.14 Release Build Built on winswitch.org by root on the 2012-06-04 SVN revision unknown with unknown local modifications $ xpra --version xpra v0.3.2
I did not change any config files on the remote host.
The windows client version is:
Window Switch 0.12.14
Built on xp-pro by XP_Pro. 2012-06-04 (release build)
(svn revision 4908 with 0 local changes)
if the client version matters at all, this should clearly be changed on the server.
Change History (2)
comment:1 Changed 12 years ago by
Resolution: | → notabug |
---|---|
Status: | new → closed |
Summary: | Security risk enforced by winswitch server - xpra --bind-tcp=0.0.0.0:<port> → winswitch server restarts xpra session and adds --bind-tcp=0.0.0.0:<port> [was security risk..] |
That was not entirely correct (that was written before the
--password-file
option was added..), the man page has been updated (thanks for spotting that): xpra r992This feature was added in r4764, part of this feature request is covered in #172 (ask pmarek for more details)
Since you use ssh, you probably have a firewall, and if you don't then the only risk you run is that someone will DoS the tcp port (iirc 20 concurrent connections limit) - which means you are in a hostile environment and should have a firewall...
If you set
ssh_tunnel=True
in your.winswitch/server/server.conf
, then the sessions should have the tunnel flag set on them and they will only listen onlocalhost
and not0.0.0.0
. If not, then that is a bug.