Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: netscape remote control - so what?

From: martinh () mailhost emap co uk (martinh () mailhost emap co uk)
Date: Tue, 28 May 1996 08:25:22 +0000

On Mon, 27 May 1996, Justin Beech wrote:


I think this discussion is pretty silly it seems just a forum for people
to vent some kind of weird angst over netscape. (the last post mentioning
"netscrape" demonstrates this clearly).


OK. The problems I see with this over the usual X attacks are:

        That this allows you to write to the filesystem very nearly
        invisibly.

        That the attack is so easy, most sites have Netscape, and this is a
        complete no-brainer even for people who couldn't compile xkeys,
        etc to save their lives.

        The very high deployment of the software which is both the attack
        and the target.

        Although the WWW server is _not_ intended to be the client the
        attack I mentioned is pretty easy to implement since rather than
        probing for X displays you only need to look for X in the client
        string and have a little poke at port 6000. If it's open you have
        a shell account, if it's not they potential victim has no log of
        your probe. I'd consider this a problem if my site had a lot of X
        displays.


If anyone is silly enough to run a server xhost + to untrusted machines
then they deserve all the security problems they get, and shouldnt bore
people on this list with horror stories of what this allows someone to
do with one particular software package.


You may be in that position, but there _are_ places with large user bases
that can have trouble sorting this out (e.g. large X Terminal labs for
University students, running from a central server which would be
compromised by any one of these terminals have bad X access, say some
students are playing with X and the server gets compromised? The admins
deserve it?)


Why not take shots at all the other packages vulnerable to xhost +?


I don't think anyone is "taking shots" (well, except maybe the
"netscrape" poster. This is genuine concern. Open X displays have always
been a problem but it has never been so easy to exploit (one line from
any dumb user on any system running Netscape), and it is unusual for it
to be so easy to write to the filesystem (without prompting).


Remote control using operating
system or desktop APIs is a very useful for lots and lots of reasons
and any security issues with this are to be placed at the feet of the
OS or desktop design, not a software vendor --


IMHO the software vendor should have made this an option which needed to
be explicitly turned on. Mosaic does this with the CCI interface. It's
surely a useful feature, for training, displays, etc. but personally I
feel it has been implemented to be too permissive.


and I dont see this thread
raising any new security issues there, so can we drop it please?


Got many X terminals with dumb users on them?


-Justin.


Regards,

        Martin.


##################################################################
# Martin Hargreaves (martin () datamodl demon co uk)  Computational #
# Director, Datamodel Ltd                                Chemist #
# Contract Unix system admin/Unix security              Sysadmin #
##################################################################
Previous By Date Next
Previous By Thread Next

Current thread: