multiple vendors XDM mis-compilation [Was: xdm cookies fast brute force]

["Cyril Diakhate" <diakhate () easynet fr>]

a few explanations about this advisory:

- we haven't contacted x.org or xfree because the XFree folks are _not_
concerned. The problem comes from the "HasXdmAuth" option, and it is the
responsability of the vendor to compile his X release with this option
activated. The best way to contact all vendors aware about security without
forgetting one is to post in this list.

- nowadays, XFree86 logs this attack by default (which apparently was not
the case in 1995)

- we are not sure that the 1995 CERT advisory
(http://packetstorm.securify.com/advisories/mci/iMCISE:MIIGS:XVUL:1102:95:P1
:R1) is about the same problem. That one was about poor /dev/random
randomness, possible files rigths misconfiguration (authorithy files
readable by anyone) and so on. Our advisory is about cookie computation in a
few seconds, _not_ depending of the /dev/random randomness quality.

- the solution is in the advisory (compile xdm with "HasXdmXauth" option
activated)

- exploitation of this bug needs local access, remote exploitation is
possible but far much difficult and we didn't post the remote version.

- some vendors (NetBSD, SuSE...) already have a solution (NetBSD 1.5, SuSE
6.3 and + on i386, ia64, ppc, s390 and sparc...)


--
Nicolas MAWART - NtF - ntf () epita fr
Cyril DIAKHATE - Sky - sky () epita fr