Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: xdm cookies fast brute force

From: Roman Drahtmueller <draht () suse de>
Date: Thu, 5 Jul 2001 17:12:42 +0200 (MEST)

Current versions of xdm are sensitive to trivial brute force attack if
it is compiled with bad options, mainly HasXdmXauth.

Without this option, cookie is generated from gettimeofday(2).  If you
know starting time of xdm login session, computation of the coookie
just takes a few seconds.

Necessary conditions for the bug to be exploited :
- have access to X11 socket (TCP or UNIX) ;
- know starting date of xdm login session;
- no need for big computation power (pentium 200MHz should be enough).

Drawbacks due to exploitation of the bug :
- victim's X server consumes much system resource ;
- many X server configurations let it generate many logs entries.

Solutions :
- use good compilation options ;
- limit access to X11 sockets (start X server with "-nolisten tcp"...)


The supported SuSE Linux distributions (6.3 and later) for the i386, ia64,
ppc, s390 and sparc distributions do have the Wraphelp.c code as well as
the HasXdmAuth option defined and are therefore not vulnerable to the
attack.

The AXP Alpha distributions however do _not_ contain the enhanced
authentication scheme. Please see the upcoming SuSE Security
announcements for more information.

As a temporary workaround for the AXP installation in the wild, run the
X-server on your AXP machine with the
"-nolisten tcp" option. By consequence, the X-server will only be
reachable through the socket in the /tmp/.X11-unix/ directory, connections
from remote clients to the X-server will fail. If you use X11-forwarding
as provided by the ssh (secure shell) or openssh package, you will still
be able to use clients from a remote machine. For this, change the line in
/usr/X11R6/lib/X11/xdm/Xservers to read
:0 local /usr/X11R6/bin/X :0 vt07 -nolisten tcp
, then restart xdm (rcxdm restart). Caution: This will log you out!
Alternatively, you could as well filter the port 6000 (for DISPLAY :0)
on the machine running the X-server using the command
 ipchains -I input -d 0/0 6000 -p tcp -j DENY -l

Be aware that adding the "-nolisten tcp" option to the X-server
commandline or the above firewall rule does not keep a local shell user on
your system from attacking your X-server. In fact, a local attacker will
find it easier to determine the exact time when the session started.

Thanks,
Roman Drahtmüller,
SuSE Security.
-- 
 -                                                                      -
| Roman Drahtmüller      <draht () suse de> //          "Caution: Cape does |
  SuSE GmbH - Security           Phone: //       not enable user to fly."
| Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
 -                                                                      -
Previous By Date Next
Previous By Thread Next

Current thread: