winboat
winboat copied to clipboard
TibixDev
[Bug] Apps don't launch, only desktop
What version of WinBoat are you running?
0.8.5
Your Environment
Ubuntu 24.04.3 Gnome 46 (Wayland) freerdp3-x11 3.5.1+dfsg1-0ubuntu1.1
Steps to Reproduce / Context
Using the desktops works fine in a FreeRDP window, as well as noVNC Browser display. No app window opens from the WinBoat menu.
Logs
Expected Behavior
Explorer window opens
Current Behavior
Nothing happens
Possible Solution
No response
Quality Notice
- [x] I have checked the issue tracker and verified that this bug is a unique case.
I had the same problem. After installing freerdp3-shadow-x11, it works.
Kubuntu 25.04
Same on Linux Mint 21.3 Cinnamon. freerdp3-shadow-x11 does not seem to be available for this distro.
Same, Ubuntu 25.10 (and also happened on 25.04). Gnome, Wayland.
freerdp3-shadow-x11 did not fix it for me.
Same, Ubuntu 25.10 (and also happened on 25.04). Gnome, Wayland.
freerdp3-shadow-x11 did not fix it for me.
Fedora 42, had the same problem. Fixed it by uninstalled the freerdp version installed by dnf (dnf remove freerdp) and installing freerdp as explained in the documentation. https://github.com/FreeRDP/FreeRDP/wiki/PreBuilds
I was able to get Command Prompt to open once by removing the Flatpak version I had installed way back using the instructions on @kxmpxtxnt 's link above, and instead install sudo apt install freerdp3-x11 (not the shadow version). But now it's back to not working again -- not Command Prompt, not any other app, just the desktop. I thought I had it fixed for a minute there.
AHA. It works if I have not logged in to Windows (i.e. by opening the Browser Display). If I'm logged in there, nothing will open outside of that display. If I sign out, then I can open apps. I can have the browser display open and apps will open, I just can't be logged in.
AHA. It works if I have not logged in to Windows (i.e. by opening the Browser Display). If I'm logged in there, nothing will open outside of that display. If I sign out, then I can open apps. I can have the browser display open and apps will open, I just can't be logged in.
This is because the current user is only logged out after a confirmation before opening an app on Linux. However, this confirmation request doesn't appear when you simply open an app.
You'll See this confirmation request once you use some RDP client and connect to the currently running instance
Fedora 42, wayland. I can confirm that the solution provided by @kxmpxtxnt works!
I uninstalled freerdp with dnf and Installed with flatpak
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
flatpak install com.freerdp.FreeRDP
and it started to work
DO NOT INSTALL FROM THIS PPA
I tried installing FreeRDP from the official binaries, suggested by Winboat, and it did not work. I tried compiling it from source and it did not work. I installed FreeRDP from the PPA suggested above and got infected by a Ransomware.
https://tria.ge/251105-yldzlsskex/behavioral1 maybe i am stupid but nothing happened? i will look and search futher
EDIT
there is NO proof of ransomware in the file. at least what i know of it. not in de deb packages. running in a vm (spoofed), and a whole bunch of malware sandboxes = nothing. also, deb packages do not contain strange triggers.
lets not make assumptions here. changes there was something else on the system that was the cause ?
EDIT 2
there was no malware in the ppa. what has happened that winboat has complete access to your home drive. and the user runned something with winboat that encrypted his home drive. end of story.
Thus
the ppa is not infected with ransomware
please stop accusing with no proof at all. do your due research pls.
EDIT 3
hello youtube: https://youtu.be/5O5w0LIargQ?t=330 (mentioned in yt video)
guys malware be carefull https://www.reddit.com/r/linux4noobs/comments/1op33pa/ransomware_help/
but where is the ppa
there is no proof the ransomware is in the ppa as per research by some poeple
lets not make assumptions here guys
i would delete the ppa to if i got accused of malware
There doesn't seem to be any reason to believe this is malware
From
Download (HTTP): https://github.com/freerdp/freerdp/archive/3.17.2/FreeRDP-3.17.2.tar.gz
$ sha256sum /tmp/FreeRDP-3.17.2.tar.gz
04a2e8049602e7aba767880990959facf2ebf7b5fbeeb5120e81838d8c2d2f17 /tmp/FreeRDP-3.17.2.tar.gz
which matches what the https://launchpadlibrarian.net/825920925/freerdp3_3.17.2-1ppa13~focal1.dsc mentions
Checksums-Sha256:
04a2e8049602e7aba767880990959facf2ebf7b5fbeeb5120e81838d8c2d2f17 10552508 freerdp3_3.17.2.orig.tar.gz
7e199c2c89ebef0b2cc5bfe543af5e9cf0c64bdef1e89eeeee2d632dbb1ec6aa 3688 freerdp3_3.17.2-1ppa13~focal1.debian.tar.xz
About freerdp3_3.17.2-1ppa13~focal1.debian.tar.xz
$ tar xvf freerdp3_3.17.2-1ppa13~focal1.debian.tar.xz
debian/
debian/changelog
debian/compat
debian/control
debian/copyright
debian/freerdp3-dev.install
debian/freerdp3-x11.install
debian/libfreerdp-client3-3.install
debian/libfreerdp-server3-3.install
debian/libfreerdp-shadow3-3.install
debian/libfreerdp3-3.install
debian/librdtk0-0.install
debian/libuwac0-0.install
debian/libwinpr3-3.install
debian/not-installed
debian/rules
debian/source/
debian/source/format
It contains no binaries - *.install are directives what file to copied where
The ransomware clearly still came from somewhere, so it's still worth investigating, even if this isn't the right place.
To better help with the investigations, here is a timeline.
-
Wednesday (10/29) to Monday (11/3): I didn’t use my PC during this period due to power outages.
-
Monday: Once power was restored, I decided to install WinBoat.
- I first installed the latest version (v0.8.7), but when I tried to run it, the program couldn’t detect FreeRDP.
- Following WinBoat’s official installation instructions, I installed the FreeRDP nightly builds, but WinBoat still didn’t detect them.
- I also tried the Flatpak version of FreeRDP, but it wasn’t detected either.
- To solve this, I decided to compile FreeRDP from source (following these instructions), and that version was finally detected by WinBoat.
- However, after installing windows on it, when I tried to open a desktop or other app, the window showed only a black screen and closed almost instantly.
- After checking the project’s issues, I found that other users recommended using WinBoat v0.7.12 instead of the latest version.
- I uninstalled the 0.8.7 version and installed the 0.7.12 version. I kept using the FreeRDP version compiled from source, but the issue with the black screen persisted.
- Later, I found 3 issues mentioning the prebuilt version on the custom PPA, so I installed that one. WinBoat was then able to detect FreeRDP properly, just like building it from source.
- I left the PC powered on, with WinBoat installing Windows, and left the lab for the day.
-
Tuesday: I did not use the computer at all.
-
Wednesday: When I arrived at the lab, the PC was already infected by ransomware.
Additional Notes
- The ransomware infection occurred sometime between Monday afternoon and Wednesday morning, while the PC was left powered on during WinBoat's Windows instalation process.
- No unusual behavior or alerts were noticed on Monday before leaving the system unattended.
- The infection did not appear immediately after compiling or running WinBoat or FreeRDP, so the exact entry point remains unclear.
- I did not install anything non related to winboat and its requirements. The last install of anything non related to winboat was made more than 2 weeks ago.
A virus that came from absolutely nowhere, are we sure this isn't some internet tomfoolery? There's also this.
To better help with the investigations, here is a timeline.
- The infection did not appear immediately after compiling or running WinBoat or FreeRDP, so the exact entry point remains unclear.
This helps narrow things down.
I will make an educated guess, the payload was likely not ransomware, but a typical reverse shell, and the operator either manually pushed the ransomware, or it was done automatically through the C2. The former explanation stands more ground as it would explain the delay. But it's also possible the C2 simply delays automatically before sending the ransomware payload to you, as to not arise suspicion the infection came from whatever software you happen to have installed.
Now, for the next piece of discussion, I want to understand something: I came from a Reddit post claiming a PPA was serving a ransomware, but from the timeline you provided, you haven't mentioned installing a PPA. So this is a bit confusing, and help clarifying this would be appreciated.
I first installed the latest version (v0.8.7), but when I tried to run it, the program couldn’t detect FreeRDP.
That means you already hads FreeRDP installed on your device prior to this ?, if so, that rules out FreeRDP.
And assuming your timeline is correct, then the point of entry is likely either from FreeRDP nightly builds, or from Winboat it's self.
Now, for the next piece of discussion, I want to understand something: I came from a Reddit post claiming a PPA was serving a ransomware, but from the timeline you provided, you haven't mentioned installing a PPA. So this is a bit confusing, and help clarifying this would be appreciated.
Later, I found 3 issues mentioning the prebuilt version on the custom PPA, so I installed that one. WinBoat was then able to detect FreeRDP properly, just like building it from source.
The poster removed the comment on this issue, but i believe the command to install de PPA is in the reddit post comments.
That means you already hads FreeRDP installed on your device prior to this ?, if so, that rules out FreeRDP.
Sorry, i did not have it. I installed Winboat and it said it required FreeRDP version 3.0 at least, so i installed the FreeRDP Nightly builds for Ubuntu suggested by Winboat from this guide. I tried two builds, the latest one and an slightly older one. Can't recall the versions of the builds tho.
Is it possible that Winboat leaves its docker containers open in ip 0.0.0.0 instead of ip 127.0.0.1? My machine's IP is public, and therefore, containers without setting the ip specifically to 127.0.0.1 can be used by anyone with access to my public ip. I know winboat allows you to watch the installation process through a web page (using VNC?). If this is the case, maybe they got access to my machine using the VNC port and manually encrypted my home folder, after windows was successfully installed.
I had instances of forgetting to manually set the docker ports to 127.0.0.1:8000:8000 (for example) and getting account creation requests on the application, as there are constantly bots trying access to my machine.
SSH is not a possibility, as i disabled password authentication and had fail2ban installed and setup.
I had instances of forgetting to manually set the docker ports to 127.0.0.1:8000:8000 (for example) and getting account creation requests on the application, as there are constantly bots trying access to my machine.
That very well could be possible. But without any sort of logs to back it up, all we can do is speculate..
I am interested in the PPA link if possible, so I can conduct research on it to confirm for sure if it was it or not.
The PPA was - https://launchpad.net/~3ddruck/+archive/ubuntu/freerdp3full/+packages
But we(the launchpad team) have disabled it unless proven otherwise to be safe.
The PPA was - https://launchpad.net/~3ddruck/+archive/ubuntu/freerdp3full/+packages
But we(the launchpad team) have disabled it unless proven otherwise to be safe.
Anyway I can still get my hand on it ?