Vulnerability Development mailing list archives

Re: Problem with xkill

From: KF <dotslash () snosoft com>
Date: Thu, 04 Apr 2002 04:59:42 -0500

I guess the real question is did your friend indeed type xhost + yourboxor was it already set as xhost + for him due to a bad default entry inan X config file? This has happened in the past ... SGI was real badabout it and I think it was even encouraged at one time for the sharingof graphical apps. Mandrake and SCO have had the same issue recently.


-KF


Ron DuFresne wrote:


But, to get this to work, you first had to take control of the other users
X window display, so the controls must not be strict enough if this
was able to be done.

I think this is what Valdis.Kletnieks was trying to tell you.


Thanks,


Ron DuFresne


On Fri, 22 Mar 2002, anthony gruppuso wrote:

I understand that, we use a very strict host access control list here on
all Xserver based devices/products; I just thought it was interesting
that xkill behaved in that manner.  Initally I was under the impression
that it would function like a graphical kill, but apparently that is not
the case.

Anthony (Joe) Gruppuso

-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu]
Sent: Friday, March 22, 2002 5:09 PM
To: Anthony Gruppuso
Cc: Bugtraq () securityfocus com; vuln-dev () securityfocus com
Subject: Re: Problem with xkill


On Fri, 22 Mar 2002 14:54:03 EST, Anthony Gruppuso said:

I don't know what possesed me to try this, but under Digital UNIX 5.0,
as a normal user, I was able to set my DISPLAY to the IP address of
another user who was running a seperate session, and run xkill.

xkill (like any other X client) uses the standard X access control
scheme.

Most likely, the other user had done an 'xhost +' or 'xhost +yourhost'.

That's why xauth and friends exist, to stop games like this...

--
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

Current thread:

Problem with xkill Anthony Gruppuso (Mar 22)
- Re: Problem with xkill xm (Mar 22)
- Re: Problem with xkill Valdis . Kletnieks (Mar 22)
- Re: Problem with xkill Michel Arboi (Mar 23)
- <Possible follow-ups>
- RE: Problem with xkill anthony gruppuso (Mar 22)
  - RE: Problem with xkill Ron DuFresne (Mar 22)
    - Re: Problem with xkill KF (Mar 23)
  - RE: Problem with xkill Michel Arboi (Mar 23)
- RE: Problem with xkill Joe Gruppuso (Mar 25)
  - RE: Problem with xkill Ron DuFresne (Mar 25)
    - RE: Problem with xkill Sumit Dhar (Mar 26)