Re: request CVE id: insecure handling of DISPLAY in rxvt

[Tomas Hoger <thoger () redhat com>]

On Tue, 4 Mar 2008 22:34:10 +0000 Steve Kemp <steve () steve org uk> wrote:

>   The idea is that if you typically connect to a host with display
>  forwarding you'll be used to running rxvt and having the resulting
>  application display locally.
>
>   However if you forget to enable display forwarding then run
>  RXVT it will connect to :1, rather than complain there is no
>  DISPLAY set and abort.  That *could* allow a malicious local
>  server to steal keyboard, & etc.
>
>   However I have a hard time seeing this in practise.  It would
>  mean that locally you couldn't trust root - since it would take
>  a local root user to setup the fake X11 server on :1..

I don't think you need root privileges to take advantage of this...

Let's assume shared box where users ssh -X and run some X programs,
e.g. rxvt.  Let's assume unprivileged user can start local X session
which will be DISPLAY=:0 and do xhost + to allow connections from other
users to her display (maybe Xvnc can be used instead of local X session
too).  Now she just have to wait for some other user to ssh without X
forwarding and start rxvt on her display.

Yes, many assumptions and ifs, but still silently assuming DISPLAY=:0
when no DISPLAY is set does not sound like a safe default.

Just my 2c.

-- 
Tomas Hoger
Red Hat Security Response Team