Bugtraq mailing list archives
XFree86: xdm flaw; present in kdm
From: chris () FERRET LMH OX AC UK (Chris Evans)
Date: Mon, 19 Jun 2000 23:51:43 +0100
Hi, Just a minor one this. Discovered during a 5 minute pass of "xdm". I subsequently discovered "kdm" has copied the xdm core xdmcp code. I'm posting this because I think Caldera released an advisory, but a general discussion of the problem did not yet appear on Bugtraq. Further audit of kdm/xdm encouraged; there's quite a lot of it offering listening ports to the open internet... CREDITS ======= Thanks to Olaf Kirch for assisting looking into this. SUMMARY [copied from original discovery mail] ======= xdmcp.c, send_failed() [...] static char buf[256]; [...] sprintf (buf, "Session %d failed for display %s: %s", (int)sessionID, name, reason); As far as I can tell, "name" could well be an arbitrary host name... COMMENTS ======== Anyone doing a more thorough audit (I literally did 5 mins) should check the handling of the various files, e.g. Xauth cookie files. GDM had some problems/race conditions there. An audit is probably needed; I hear a couple of distributions ship kdm as default, and also leave it answering UDP xdmcp requests by default(!) Cheers Chris
Current thread:
- Re: local root on linux 2.2.15, (continued)
- Re: local root on linux 2.2.15 Wojciech Purczynski (Jun 14)
- MS-040 'proof of concept' code Renaud Deraison (Jun 13)
- Re: local root on linux 2.2.15 Rogier Wolff (Jun 08)
- Re: local root on linux 2.2.15 Tollef Fog Heen (Jun 11)
- Re: local root on linux 2.2.15 Peter da Silva (Jun 15)
- Re: local root on linux 2.2.15 Firstname Lastname (Jun 15)
- Re: local root on linux 2.2.15 Robert Watson (Jun 18)
- Net Tools PKI server exploits Jim Stickley (Jun 19)
- XFree86: libICE DoS Chris Evans (Jun 19)
- XFree86: Various nasty libX11 holes Chris Evans (Jun 19)
- XFree86: xdm flaw; present in kdm Chris Evans (Jun 19)
- XFree86: xdm xdmcp code in wdm also Brian Russo (Jun 20)
- Re: XFree86: xdm xdmcp code in wdm also Jerome ALET (Jun 20)
- Re: local root on linux 2.2.15 Peter da Silva (Jun 15)
- Problems with "kon2" package Chris Evans (Jun 19)
- [TL-Security-Announce] Linux Kernel TLSA2000013-1 Roger Luethi (Jun 19)
- Re: [TL-Security-Announce] Linux Kernel TLSA2000013-1 Gregory Neil Shapiro (Jun 28)
- CERT Advisory CA-2000-12 Roman Drahtmueller (Jun 19)
- Re: local root on linux 2.2.15 Joseph Gooch (Jun 15)
- Conectiva Linux Security Announcement - ZOPE Sergio Bruder (Jun 16)