Bug#836586: unknown external IP in xrdp.log after upgrade?!?
Control: forwarded -1 https://github.com/neutrinolabs/xrdp/issues/421 On Mittwoch, 7. September 2016 12:11:31 CEST Dominik George wrote: > Hang on… this is cool: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=145088=yes > […] And another one: https://marc.info/?l=freebsd-sparc64=103347393830063=2 Seems to be a popular issue ;)! -nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Mobil: +49-1520-1981389 Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Contributor LPIC-3 Linux Enterprise Professional (Security) signature.asc Description: This is a digitally signed message part.
Bug#836586: unknown external IP in xrdp.log after upgrade?!?
Hang on… this is cool: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=145088=yes Date: Mon, 29 Apr 2002 20:33:49 -0300 Package: libsnmp4.2 Version: 4.2.4-2 Severity: important The new libwrap stuff for agentX simply does not work. Apr 29 16:33:22 khazad-dum ucd-snmp[13833]: AgentX connection from 97.114.47.114 REFUSED Apparently, it is getting random memory as the IP […] Now, it doesn't appear so random anymore… Apparently, it is the same type of bug - why it produces the same address, however, is a mystery to me, but maybe it goes out pointing to the same, static memory from libc or something. Cheers, Nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Mobil: +49-1520-1981389 Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Contributor LPIC-3 Linux Enterprise Professional (Security) signature.asc Description: This is a digitally signed message part.
Bug#836586: unknown external IP in xrdp.log after upgrade?!?
Hi, OK, I can actually reproduce the issue - but only on jessie, not on sid (it's also i386 vs. amd64, maybe). Reading code and discussing with upstream now. -nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Mobil: +49-1520-1981389 Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Contributor LPIC-3 Linux Enterprise Professional (Security) signature.asc Description: This is a digitally signed message part.
Bug#836586: unknown external IP in xrdp.log after upgrade?!?
2016-09-05 11:01 GMT+02:00 Dominik George: >> Yes, it's connected to the internet, no it's not reachable from >> outside the LAN (on any port). > > Can you please double-check that? I've a dedicated jessie box on firewall / NAT router duty, no forwarded ports. I can't rule out a hundred percent that it isn't compromised, of course, but everything looks fine. > Please also grep in your log files and in /etc for this IP address. Does it > also show up anywhere else? No. Just in /var/log/xrdp.log (and identically in /var/log/daemon.log) > I doubt either. The first because what you see is a *client* address > connecting to xrdp on your host Strictly speaking, that's not correct. I only ever get *disconnections* from that address. > the second because the IP address is taken directly > from the socket structur, All it takes is one stupid typo. Looking at xrdp.log and xrdp-sesman.log, there's only ever connections from "0.0.0.0:port"; and disconnections from "0.0.0.0:port", "97.114.47.114:port" and "NULL:NULL". I'd expect my workstation's 192.168.0.0/24 address and 127.0.0.1 to show up, they don't. > can you actually reproduce the issue? This is a (commented) tail -f over both logs. It does change a bit for reconnections but in principle it's always the same. # try to connect from 192.168.0.35 ==> xrdp.log <== [20160907-11:46:58] [INFO ] A connection received from: 0.0.0.0 port 53773 [20160907-11:46:58] [INFO ] An established connection closed to endpoint: 0.0.0.0:53773 - socket: 11 [20160907-11:46:58] [INFO ] An established connection closed to endpoint: NULL:NULL - socket: 10 [20160907-11:46:58] [CORE ] WARNING: Invalid x.509 certificate path defined, default path will be used: /etc/xrdp/cert.pem [20160907-11:46:58] [WARN ] Invalid X.509 certificate path defined, default path will be used: /etc/xrdp/key.pem [20160907-11:46:58] [INFO ] An established connection closed to endpoint: NULL:NULL - socket: 11 [20160907-11:46:58] [INFO ] A connection received from: 0.0.0.0 port 53774 [20160907-11:46:58] [ERROR] Listening socket is in wrong state we terminate listener [20160907-11:46:58] [INFO ] An established connection closed to endpoint: 0.0.0.0:53774 - socket: 11 [20160907-11:46:58] [INFO ] An established connection closed to endpoint: NULL:NULL - socket: 10 [20160907-11:46:59] [CORE ] WARNING: Invalid x.509 certificate path defined, default path will be used: /etc/xrdp/cert.pem [20160907-11:46:59] [WARN ] Invalid X.509 certificate path defined, default path will be used: /etc/xrdp/key.pem [20160907-11:46:59] [DEBUG] xrdp_0f24_wm_login_mode_event_0001 [20160907-11:46:59] [WARN ] local keymap file for 0xac07 found and doesn't match built in keymap, using local keymap file ==> xrdp-sesman.log <== [20160907-11:47:08] [INFO ] A connection received from: 0.0.0.0 port 58234 ==> xrdp.log <== [20160907-11:47:09] [DEBUG] return value from xrdp_mm_connect 0 ==> xrdp-sesman.log <== [20160907-11:47:09] [INFO ] ++ created session (access granted): username chris, ip 0.0.0.0:53774 - socket: 11 [20160907-11:47:09] [INFO ] starting Xorg session... [20160907-11:47:09] [INFO ] An established connection closed to endpoint: NULL:NULL - socket: 9 [20160907-11:47:09] [INFO ] An established connection closed to endpoint: NULL:NULL - socket: 9 [20160907-11:47:09] [INFO ] An established connection closed to endpoint: NULL:NULL - socket: 9 [20160907-11:47:09] [INFO ] An established connection closed to endpoint: 0.0.0.0:58234 - socket: 8 [20160907-11:47:09] [INFO ] An established connection closed to endpoint: NULL:NULL - socket: 393221 [20160907-11:47:09] [INFO ] An established connection closed to endpoint: NULL:NULL - socket: 8 [20160907-11:47:09] [INFO ] An established connection closed to endpoint: NULL:NULL - socket: 7 [20160907-11:47:09] [INFO ] Xorg :10 -config xrdp/xorg.conf -noreset -ac -nolisten tcp -retro [20160907-11:47:09] [INFO ] starting xrdp-sessvc - xpid=3880 - wmpid=3879 ==> xrdp.log <== [20160907-11:47:09] [INFO ] lib_mod_log_peer: xrdp_pid=3876 connected to X11rdp_pid=3880 X11rdp_uid=1000 X11rdp_gid=1000 client_ip= client_port= [20160907-11:47:09] [DEBUG] xrdp_mm_connect_chansrv: chansrv connect successful [20160907-11:47:09] [INFO ] An established connection closed to endpoint: 0.0.0.0:3350 - socket: 22 [20160907-11:47:09] [INFO ] The following channel is allowed: rdpdr (0) [20160907-11:47:09] [INFO ] The following channel is allowed: rdpsnd (1) [20160907-11:47:09] [INFO ] The following channel is allowed: cliprdr (2) [20160907-11:47:10] [INFO ] The following channel is allowed: drdynvc (3) [20160907-11:47:10] [DEBUG] The allow channel list now initialized for this session # at this point I'm logged in and staring at an empty teal background, but that's a different problem # close down the session [20160907-11:48:00] [INFO ] An established connection closed to endpoint: NULL:NULL - socket: 11 [20160907-11:48:00] [DEBUG] xrdp_mm_module_cleanup [20160907-11:48:00] [INFO
Bug#836586: unknown external IP in xrdp.log after upgrade?!?
Hi, > > Are you sure this is in fact the one connection you are closing? > > I don't see what else it could be, certainly nothing legitimate. The > only access to the box was me testing xrdp, running a tail -f > alongside. OK. > > > Is the system connected to the internet (and reachable from there on the > > RDP port)? > > Yes, it's connected to the internet, no it's not reachable from > outside the LAN (on any port). Can you please double-check that? Please also grep in your log files and in /etc for this IP address. Does it also show up anywhere else? > > > Removing the security tag as I do not see how IP based connections from > > somewhere to your host could be a security bug in xrdp. > > Well, either xrdp is "phoning home" (worrying, but unlikely) or the > displayed IP address is bogus (parsing error, an off pointer ...) -- > both are potentially security relevant. I doubt either. The first because what you see is a *client* address connecting to xrdp on your host - so even *if* it were a reaction to some phoning home, it would still involve your system being reachable from the internet, which you deny; the second because the IP address is taken directly from the socket structur, so if there were a bug, it would be in libc and this would not be the only reference to it ;). If the address shows aup nowhere else and you are absolutely positive it cannot be background noise from the internet, then we will have to wait for someone else hitting this bug, or collect more information, e.g. do a tcpdump on your system while it occurs (speaking of that - can you actually reproduce the issue?). Cheers, Nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Mobil: +49-1520-1981389 Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Contributor LPIC-3 Linux Enterprise Professional (Security) signature.asc Description: This is a digitally signed message part.
Bug#836586: unknown external IP in xrdp.log after upgrade?!?
> Are you sure this is in fact the one connection you are closing? I don't see what else it could be, certainly nothing legitimate. The only access to the box was me testing xrdp, running a tail -f alongside. > Is the system connected to the internet (and reachable from there on the RDP > port)? Yes, it's connected to the internet, no it's not reachable from outside the LAN (on any port). > Removing the security tag as I do not see how IP based connections from > somewhere to your host could be a security bug in xrdp. Well, either xrdp is "phoning home" (worrying, but unlikely) or the displayed IP address is bogus (parsing error, an off pointer ...) -- both are potentially security relevant. Cheers, C.
Bug#836586: unknown external IP in xrdp.log after upgrade?!?
Control: tag -1 + moreinfo Control: tag -1 - security Hi, > [20160904-11:25:17] [INFO ] An established connection closed to > endpoint: NULL:NULL - socket: 11 > [20160904-11:25:17] [DEBUG] xrdp_mm_module_cleanup > [20160904-11:25:17] [INFO ] An established connection closed to > endpoint: 97.114.47.114:12150 - socket: 23 > [20160904-11:25:17] [INFO ] An established connection closed to > endpoint: 97.114.47.114:12150 - socket: 24 > [20160904-11:25:18] [ERROR] Listening socket is in wrong state we > terminate listener > > > (That's on closing one of these "blank" sessions.). I'm not in the US > and all connections to xrdp are strictly LAN-only (192.168.0.0/24) > anyway, so what's an US address doing in there? Are you sure this is in fact the one connection you are closing? Couldn't it just be coincidence? Is the system connected to the internet (and reachable from there on the RDP port)? Removing the security tag as I do not see how IP based connections from somewhere to your host could be a security bug in xrdp. Cheers, Nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Mobil: +49-1520-1981389 Teckids e.V. · FrOSCon e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Contributor LPIC-3 Linux Enterprise Professional (Security) signature.asc Description: This is a digitally signed message part.
Bug#836586: unknown external IP in xrdp.log after upgrade?!?
Package: xrdp Version: 0.9.0~20160601+git703fedd-3 Tags: security Hi, while trying to debug why xrdp has stopped working here after the upgrade to 0.9 -- login works fine but dumps one in front of an empty solid teal screen instead of the expected MATE session --, I stumbled across the following in xrdp.log: [20160904-11:25:17] [INFO ] An established connection closed to endpoint: NULL:NULL - socket: 11 [20160904-11:25:17] [DEBUG] xrdp_mm_module_cleanup [20160904-11:25:17] [INFO ] An established connection closed to endpoint: 97.114.47.114:12150 - socket: 23 [20160904-11:25:17] [INFO ] An established connection closed to endpoint: 97.114.47.114:12150 - socket: 24 [20160904-11:25:18] [ERROR] Listening socket is in wrong state we terminate listener (That's on closing one of these "blank" sessions.). I'm not in the US and all connections to xrdp are strictly LAN-only (192.168.0.0/24) anyway, so what's an US address doing in there? Cheers, Christian P.S.: Once reportbug is working again, I can do a follow-up with the full template info.