Re: request CVE id: insecure handling of DISPLAY in rxvt

[Nico Golde <oss-security+ml () ngolde de>]

Hi Tomas,
* Tomas Hoger <thoger () redhat com> [2008-03-05 12:54]:
> On Tue, 4 Mar 2008 22:34:10 +0000 Steve Kemp <steve () steve org uk> wrote:
> >   The idea is that if you typically connect to a host with display
> >  forwarding you'll be used to running rxvt and having the resulting
> >  application display locally.
> >
> >   However if you forget to enable display forwarding then run
> >  RXVT it will connect to :1, rather than complain there is no
> >  DISPLAY set and abort.  That *could* allow a malicious local
> >  server to steal keyboard, & etc.
> >
> >   However I have a hard time seeing this in practise.  It would
> >  mean that locally you couldn't trust root - since it would take
> >  a local root user to setup the fake X11 server on :1..
>
> I don't think you need root privileges to take advantage of this...
>
> Let's assume shared box where users ssh -X and run some X programs,
> e.g. rxvt.  Let's assume unprivileged user can start local X session
> which will be DISPLAY=:0 and do xhost + to allow connections from other
> users to her display (maybe Xvnc can be used instead of local X session
> too).  Now she just have to wait for some other user to ssh without X
> forwarding and start rxvt on her display.

That was the scenario I thought of. Sure this is still not a 
big issue and I doubt this gets "exploited" in practise 
but...

> Yes, many assumptions and ifs, but still silently assuming DISPLAY=:0
> when no DISPLAY is set does not sound like a safe default.

... I also see no reason in supporting a user "mistake" by 
setting it to some default.
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description: