lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <a343ed99-c9f2-49d5-9587-d7a11e2d32b7@nagafix.co.uk>
Date: Wed, 24 Sep 2025 17:05:13 +0700
From: Antoine Martin via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] xpra server information disclosure

1) About Xpra
Xpra is known as "screen for X11".
https://xpra.org/
"Xpra forwards and synchronizes many extra desktop features, which 
allows remote applications to integrate transparently into the client's 
desktop environment: audio input and output, printers, clipboard, system 
trays, notifications, webcams, etc."

2) Vulnerability
Using the server's "control" subsystem, a client can enable sensitive 
debug logging, ie: "network", "crypto", "keyboard" or "auth" categories.
Newer versions even include a GUI for doing so more easily:
https://github.com/Xpra-org/xpra/issues/4666

Then using the "file-transfer" module, the server's log file can be 
retrieved.
Alternatively, the "clipboard" subsystem could also be used to transfer 
this log data to the client if it can somehow be copied to the clipboard 
(ie using xclip).
Even the most basic window forwarding could be used to transfer the data 
in pixel form, either eyeballing it or OCRing it on the client side.

Although the user would usually first need to authenticate to access the 
session, there are many use-cases where the log data may still expose 
sensitive information:
* system configuration, paths, etc
* multi-client setups could leak other user's credentials, or record all 
keyboard events (effectively a keylogger)
* proxied sessions could leak the proxy server's connection details and 
credentials
* server encryption keys
etc

3) Affected versions
All versions prior to 6.3.3 stable and 5.1.2 LTS.
EPEL, Fedora, Debian, Ubuntu are all shipping vulnerable versions.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ