xpra server information disclosure

2025-9-25 22:48:38 Author: seclists.org(查看原文) 阅读量:3 收藏

1) About Xpra
Xpra is known as "screen for X11".
https://xpra.org/

"Xpra forwards and synchronizes many extra desktop features, which 

allows remote applications to integrate transparently into the client's 

desktop environment: audio input and output, printers, clipboard, system 

trays, notifications, webcams, etc."

2) Vulnerability

Using the server's "control" subsystem, a client can enable sensitive 

debug logging, ie: "network", "crypto", "keyboard" or "auth" categories.

Newer versions even include a GUI for doing so more easily:
https://github.com/Xpra-org/xpra/issues/4666

Then using the "file-transfer" module, the server's log file can be 

retrieved.

Alternatively, the "clipboard" subsystem could also be used to transfer 

this log data to the client if it can somehow be copied to the clipboard 

(ie using xclip).

Even the most basic window forwarding could be used to transfer the data 

in pixel form, either eyeballing it or OCRing it on the client side.

Although the user would usually first need to authenticate to access the 

session, there are many use-cases where the log data may still expose 

sensitive information:

* system configuration, paths, etc

* multi-client setups could leak other user's credentials, or record all 

keyboard events (effectively a keylogger)

* proxied sessions could leak the proxy server's connection details and 

credentials

* server encryption keys
etc

3) Affected versions
All versions prior to 6.3.3 stable and 5.1.2 LTS.
EPEL, Fedora, Debian, Ubuntu are all shipping vulnerable versions.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Full Disclosure mailing list archives

Current thread: