Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#205 closed defect (notabug)

winswitch server restarts xpra session and adds --bind-tcp=<port> [was security risk..]

Reported by: Optionator Owned by: Antoine Martin
Priority: critical Milestone:
Component: Server Keywords: security risk xpra winswitch


starting an xpra session manually and then remotely connecting to it with the winswitch cleint for Windows results in change of xpra session to use --bind-tcp=<port>, which is a "major security risk" (xpra(1)).

Reproduction steps:

In the remote host run

$ ps aux | grep winswitch # no winswitch_server running
$ ps aux | grep xpra # no xpra running
$ xpra start :666
$ ps aux | grep xpra # see the command line and PID
1000     18905  2.5  0.2 188412 21976 ?        S    21:26   0:00 /usr/bin/python /usr/bin/xpra start :666

Now run the Window Switch client for Windows and connect to that remote host using ssh tunneling. It will show an "unknown" session. You won´t even need to resume it via the tray icon, the damage is already done:

On the remote host again:

$ ps aux | grep xpra
1000     19549  0.1  0.2 213020 23404 ?        S    21:32   0:00 /usr/bin/python /usr/bin/xpra --bind-tcp= --password-file=/home/ocm-admin/.winswitch/server/sessions/666/session.pass --no-daemon --no-pulseaudio --session-name=unknown start :666 --use-display

$ ps aux | grep winsw
1000     19479  0.1  0.1 101708 15536 ?        Ss   21:31   0:00 /usr/bin/python /usr/bin/winswitch_stdio_socket
1000     19485  0.2  0.0      0     0 ?        Z    21:32   0:00 [winswitch_serve] <defunct>
1000     19533  0.2  0.3 323548 29688 ?        S    21:32   0:00 /usr/bin/python /usr/bin/winswitch_server --daemon
1000     19549  0.1  0.2 213020 23404 ?        S    21:32   0:00 /usr/bin/python /usr/bin/xpra --bind-tcp= --password-file=/home/ocm-admin/.winswitch/server/sessions/666/session.pass --no-daemon --no-pulseaudio --session-name=unknown start :666 --use-display

$ netstat --inet -nlp 2>/dev/null | grep 19549
tcp        0      0 *               LISTEN      19549/python

So there you are, apparently winswitch_server restarted xpra, see the different PIDs, and now it is listening on all IPs. Found no documentation about this, just stumbled upon it. No obvious way to change it in any config files. Plus this should never be the default behaviour!

For some more info, I am using Debian squeeze/stable and have installed from the official repository.

$ cat /etc/debian_version
$ apt-cache policy winswitch xpra
  Installiert: 0.12.14-1
  Kandidat:    0.12.14-1
 *** 0.12.14-1 0
        990 squeeze/main amd64 Packages
        100 /var/lib/dpkg/status
  Installiert: 0.3.2-2
  Kandidat:    0.3.2-2
 *** 0.3.2-2 0
        990 squeeze/main amd64 Packages
        100 /var/lib/dpkg/status
$ winswitch_server --version
winswitch version 0.12.14
Release Build
Built on by root on the 2012-06-04
SVN revision unknown with unknown local modifications
$ xpra --version
xpra v0.3.2

I did not change any config files on the remote host.

The windows client version is:
Window Switch 0.12.14
Built on xp-pro by XP_Pro. 2012-06-04 (release build)
(svn revision 4908 with 0 local changes)

if the client version matters at all, this should clearly be changed on the server.

Change History (2)

comment:1 Changed 11 years ago by Antoine Martin

Resolution: notabug
Status: newclosed
Summary: Security risk enforced by winswitch server - xpra --bind-tcp=<port>winswitch server restarts xpra session and adds --bind-tcp=<port> [was security risk..]

"major security risk"

That was not entirely correct (that was written before the --password-file option was added..), the man page has been updated (thanks for spotting that): xpra r992

No obvious way to change it in any config files

$ grep external ~/.winswitch/server/protocols/xpra.conf 
# when we find xpra sessions started externally, restart them so they can be used with winswitch

This feature was added in r4764, part of this feature request is covered in #172 (ask pmarek for more details)

Since you use ssh, you probably have a firewall, and if you don't then the only risk you run is that someone will DoS the tcp port (iirc 20 concurrent connections limit) - which means you are in a hostile environment and should have a firewall...

If you set ssh_tunnel=True in your .winswitch/server/server.conf, then the sessions should have the tunnel flag set on them and they will only listen on localhost and not If not, then that is a bug.

comment:2 Changed 11 years ago by Optionator

Thanks for clearing things up. ;)

Note: See TracTickets for help on using tickets.