|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: XFree86: xdm flaw; present in kdm
From: Chris Evans (chris
FERRET.LMH.OX.AC.UK)Date: Mon Jun 19 2000 - 17:51:43 CDT
- Next message: Chris Evans: "XFree86: Various nasty libX11 holes"
- Previous message: Jim Stickley: "Net Tools PKI server exploits"
- Next in thread: Brian Russo: "XFree86: xdm xdmcp code in wdm also"
- Reply: Brian Russo: "XFree86: xdm xdmcp code in wdm also"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
Just a minor one this. Discovered during a 5 minute pass of "xdm". I
subsequently discovered "kdm" has copied the xdm core xdmcp code.
I'm posting this because I think Caldera released an advisory, but a
general discussion of the problem did not yet appear on Bugtraq.
Further audit of kdm/xdm encouraged; there's quite a lot of it offering
listening ports to the open internet...
CREDITS
=======
Thanks to Olaf Kirch for assisting looking into this.
SUMMARY [copied from original discovery mail]
=======
xdmcp.c, send_failed()
[...]
static char buf[256];
[...]
sprintf (buf, "Session %d failed for display %s: %s",
(int)sessionID, name, reason);
As far as I can tell, "name" could well be an arbitrary host name...
COMMENTS
========
Anyone doing a more thorough audit (I literally did 5 mins) should check
the handling of the various files, e.g. Xauth cookie files. GDM had some
problems/race conditions there.
An audit is probably needed; I hear a couple of distributions ship kdm as
default, and also leave it answering UDP xdmcp requests by default(!)
Cheers
Chris
- Next message: Chris Evans: "XFree86: Various nasty libX11 holes"
- Previous message: Jim Stickley: "Net Tools PKI server exploits"
- Next in thread: Brian Russo: "XFree86: xdm xdmcp code in wdm also"
- Reply: Brian Russo: "XFree86: xdm xdmcp code in wdm also"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]