1) About Xpra
Xpra is known as "screen for X11".
https://xpra.org/
"Xpra forwards and synchronizes many extra desktop features, which
allows remote applications to integrate transparently into the client's
desktop environment: audio input and output, printers, clipboard, system
trays, notifications, webcams, etc."
2) Vulnerability
Using the server's "control" subsystem, a client can enable sensitive
debug logging, ie: "network", "crypto", "keyboard" or "auth" categories.
Newer versions even include a GUI for doing so more easily:
https://github.com/Xpra-org/xpra/issues/4666
Then using the "file-transfer" module, the server's log file can be
retrieved.
Alternatively, the "clipboard" subsystem could also be used to transfer
this log data to the client if it can somehow be copied to the clipboard
(ie using xclip).
Even the most basic window forwarding could be used to transfer the data
in pixel form, either eyeballing it or OCRing it on the client side.
Although the user would usually first need to authenticate to access the
session, there are many use-cases where the log data may still expose
sensitive information:
* system configuration, paths, etc
* multi-client setups could leak other user's credentials, or record all
keyboard events (effectively a keylogger)
* proxied sessions could leak the proxy server's connection details and
credentials
* server encryption keys
etc
3) Affected versions
All versions prior to 6.3.3 stable and 5.1.2 LTS.
EPEL, Fedora, Debian, Ubuntu are all shipping vulnerable versions.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
