Re: Is _your_ Netscape under remote control

[espel () clipper ens fr (Roger Espel Llima)]

> > [...]
> > In short: Netscape can be remote controlled by all users who have access to
> > someone's X Server.
> >
> > > and if the browsing user has an open X display anyone can then log into
> > > their account. Obviously this would be worse if root was running
> > > Netscape. This could also be used to have an idle netscape visit various
> > > pages of dubious virtue and bookmark them all, then the prankster can
> > > stop by the victim and have a laugh at their expense...
> >
> > I don't see this as a security problem. If you have access to someone's X
> > server, that someone's security can easily be compromised. It is possible to
> > log all keys typed, generate fake keyboard and mouse input, close windows or
> > just plain quit the X server.

Still, there is a significant gap between sniffing/denial of service and
executing shell commands.  From what I've seen, security-conscious X
clients (such as xterm) have traditionally made sure they ignored
syntetic keyboard events, and didn't provide any kind of shell-capable
remote X interface.

Although un-secured X servers are very much a bad idea, I consider it a
security hole when an X client can be tricked into executing arbitrary
commands via X.

Netscape is a major offender with a documented, easy to use "remote"
interface, but there are others.  GNU Emacs (not XEmacs) will happily
take syntetic (fake) events.

Note that most versions of Netscape are broken in other ways too;
JavaScript code can send email behind your back by filling a hidden form
with action a "mailto:"; and then form.submit()ting it, and several bugs
have been found in Java's bytecode verifier (see the paper at
http://www.cs.princeton.edu/sip/pub/secure96.html).

        -Roger
--
e-mail: roger.espel.llima () ens fr
WWW & PGP key: http://eleves.ens.fr:8080/home/espel/index.html