Re: [Qemu-devel] [Spice-devel] Always get Invalid password while trying to connect to spice server

[Christophe Fergeau]

Hey,

On Thu, Jan 03, 2019 at 04:25:00PM -0600, Eric Blake wrote:
> On 12/27/18 8:51 AM, Niccolò Belli wrote:
> > On mercoledì 26 dicembre 2018 13:38:28 CET, Frediano Ziglio wrote:
> >> Yes, this looks like a format string error in the upper (not into
> >> spice) layer.
> >>
> >> This potentially is a security problem.
> > 
> > Considering the spice server is exposed to the internet this is
> > definitely worth investigating.
> > 
> >> The specific '%' character could be the issue, can you try others
> >> ('!', '@' and
> >> so on) ?
> > 
> > I tried several other special characters and they all seems to work,
> > expect for "Password&&" which gets converted to "Password" (if
> > I type "Password" it works).
> 
> Could it be related to this patch where our JSON code mishandles %?
> https://lists.gnu.org/archive/html/qemu-devel/2019-01/msg00108.html

Yes definitely, this is where the patch came from.
Mentioning this spice issue is yet another thing I should have added in the
commit log, but which I only thought about *after* having sent the patch :)

Christophe


signature.asc
Description: PGP signature

Re: [Qemu-devel] [Spice-devel] Always get Invalid password while trying to connect to spice server

[Eric Blake]

On 12/27/18 8:51 AM, Niccolò Belli wrote:
> On mercoledì 26 dicembre 2018 13:38:28 CET, Frediano Ziglio wrote:
>> Yes, this looks like a format string error in the upper (not into
>> spice) layer.
>>
>> This potentially is a security problem.
> 
> Considering the spice server is exposed to the internet this is
> definitely worth investigating.
> 
>> The specific '%' character could be the issue, can you try others
>> ('!', '@' and
>> so on) ?
> 
> I tried several other special characters and they all seems to work,
> expect for "Password&&" which gets converted to "Password" (if
> I type "Password" it works).

Could it be related to this patch where our JSON code mishandles %?
https://lists.gnu.org/archive/html/qemu-devel/2019-01/msg00108.html

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3226
Virtualization:  qemu.org | libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [Spice-devel] Always get Invalid password while trying to connect to spice server

[Niccolò Belli]

On mercoledì 26 dicembre 2018 13:38:28 CET, Frediano Ziglio wrote:
Yes, this looks like a format string error in the upper (not 
into spice) layer.


This potentially is a security problem.


Considering the spice server is exposed to the internet this is definitely 
worth investigating.


The specific '%' character could be the issue, can you try 
others ('!', '@' and

so on) ?


I tried several other special characters and they all seems to work, expect 
for "Password&&" which gets converted to "Password" (if I type 
"Password" it works).


Niccolo'

Re: [Qemu-devel] [Spice-devel] Always get Invalid password while trying to connect to spice server

[Frediano Ziglio]

> 
> On martedì 25 dicembre 2018 09:04:31 CET, Uri Lublin wrote:
> > Hi,
> 
> Hi and thanks for your answer.
> 
> > It's hard to tell without more details.
> 
> I'll try to provide all the details, let me know if you need anything else.
> 
> > How do you set the password ?
> 
> I set the password using the virt-manager interface: in the "Spice server"
> section I just check the "password" flag and I set a password. It used to
> work. I don't use virt-manager directly from the virtualization server
> because it doesn't have any graphical interface: I connect to it using
> virt-manager from my desktop PC (more details follow).
> 
> > Do you use secure connections ?
> 
> I connect to the remote libvirt server using virt-manager from my desktop.
> The libvirt URI is qemu+ssh://root@ip:22/system so I use ssh to connect.
> 
> > Maybe you turned on a firewall and a rule is missing.
> 
> There is a firewall, but it didn't change. SSH port is open (and I can
> connect to the libvirt server using virt-manager). I also opened a broad
> range of spice ports (5900-5930) and that works too because if I uncheck
> the "password" field it connects to the spice server without any issue.
> 
> I also tried to connect directly to the spice server using virt-viewer
> instead of virt-manager:
> 
> remote-viewer spice://ip:5906
> 
> 5906 is the spice port. I can check which VM gets assigned to which port
> using the virt-manager interface, in the "Spice server" section.
> 
> remote-viewer triggers the same error: wrong password.
> 
> > What is your qemu-kvm command line ?
> 
> LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin QEMU_AUDIO_DRV=spice
> /usr/bin/qemu-system-x86_64 -name guest=guild-devel,debug-threads=on -S
> -object
> secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-17-guild-devel/master-key.aes
> -machine pc-q35-3.0,accel=kvm,usb=off,vmport=off,dump-guest-core=off -cpu
> EPYC-IBPB,x2apic=on,tsc-deadline=on,hypervisor=on,tsc_adjust=on,cmp_legacy=on,perfctr_core=on,virt-ssbd=on,monitor=off
> -drive
> file=/usr/share/ovmf/x64/OVMF_CODE.fd,if=pflash,format=raw,unit=0,readonly=on
> -drive
> file=/var/lib/libvirt/qemu/nvram/guild-devel_VARS.fd,if=pflash,format=raw,unit=1
> -m 4096 -realtime mlock=off -smp 16,sockets=16,cores=1,threads=1 -uuid
> fd44b44b-2e22-4d2f-ae19-433934443576 -no-user-config -nodefaults -chardev
> socket,id=charmonitor,fd=32,server,nowait -mon
> chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew
> -global kvm-pit.lost_tick_policy=delay -no-hpet -no-shutdown -global
> ICH9-LPC.disable_s3=1 -global ICH9-LPC.disable_s4=1 -boot strict=on -device
> pcie-root-port,port=0x10,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x2
> -device pcie-root-port,port=0x11,chassis=2,id=pci.2,bus=pcie.0,addr=0x2.0x1
> -device pcie-root-port,port=0x12,chassis=3,id=pci.3,bus=pcie.0,addr=0x2.0x2
> -device pcie-root-port,port=0x13,chassis=4,id=pci.4,bus=pcie.0,addr=0x2.0x3
> -device pcie-root-port,port=0x14,chassis=5,id=pci.5,bus=pcie.0,addr=0x2.0x4
> -device pcie-root-port,port=0x15,chassis=6,id=pci.6,bus=pcie.0,addr=0x2.0x5
> -device pcie-root-port,port=0x16,chassis=7,id=pci.7,bus=pcie.0,addr=0x2.0x6
> -device qemu-xhci,p2=15,p3=15,id=usb,bus=pci.2,addr=0x0 -device
> virtio-serial-pci,id=virtio-serial0,bus=pci.3,addr=0x0 -drive
> file=/var/lib/libvirt/images/Fedora-Workstation-Live-x86_64-29-1.2.iso,format=raw,if=none,id=drive-sata0-0-0,media=cdrom,readonly=on
> -device ide-cd,bus=ide.0,drive=drive-sata0-0-0,id=sata0-0-0,bootindex=2
> -drive
> file=/var/lib/libvirt/images/guild-devel/guild-devel.qcow2,format=qcow2,if=none,id=drive-virtio-disk0,cache=writeback,aio=threads
> -device
> virtio-blk-pci,scsi=off,bus=pci.4,addr=0x0,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1,write-cache=on,werror=stop,rerror=stop
> -netdev tap,fd=35,id=hostnet0,vhost=on,vhostfd=36 -device
> virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:b6:70:81,bus=pci.1,addr=0x0
> -chardev pty,id=charserial0 -device
> isa-serial,chardev=charserial0,id=serial0 -chardev
> socket,id=charchannel0,fd=37,server,nowait -device
> virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.qemu.guest_agent.0
> -chardev spicevmc,id=charchannel1,name=vdagent -device
> virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=com.redhat.spice.0
> -device usb-tablet,id=input0,bus=usb.0,port=1 -spice
> port=5905,addr=0.0.0.0,seamless-migration=on -k en-us -device
> virtio-vga,id=video0,virgl=on,max_outputs=1,bus=pcie.0,addr=0x1 -device
> ich9-intel-hda,id=sound0,bus=pcie.0,addr=0x1b -device
> hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev
> spicevmc,id=charredir0,name=usbredir -device
> usb-redir,chardev=charredir0,id=redir0,bus=usb.0,port=2 -chardev
> spicevmc,id=charredir1,name=usbredir -device
> usb-redir,chardev=charredir1,id=redir1,bus=usb.0,port=3 -device
> virtio-balloon-pci,id=balloon0,bus=pci.5,addr=0x0 -object
>