[11511] in bugtraq
Re: XDM Insecurity revisited
daemon@ATHENA.MIT.EDU (Michael Herrmann)
Wed Aug 25 17:39:33 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990823103512.A28214@sunsystem6.informatik.tu-muenchen.de>
Date: Mon, 23 Aug 1999 10:35:12 +0200
Reply-To: Michael Herrmann <herrmanm@INFORMATIK.TU-MUENCHEN.DE>
From: Michael Herrmann <herrmanm@INFORMATIK.TU-MUENCHEN.DE>
X-To: Dave Plonka <plonka@DOIT.WISC.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19990819115549.A19112@doit.wisc.edu>; from Dave Plonka on Thu,
Aug 19, 1999 at 11:55:49AM -0500
On Thu, Aug 19, 1999 at 11:55:49AM -0500, Dave Plonka wrote:
> On Wed, Aug 18, 1999 at 12:26:20PM +0200, Jochen Bauer wrote:
> > On Wed, 26 Nov 1997 Eric Augustus (augustus@stic.net) posted a message
> > on BUGTRAQ about the fact, that the default Xaccess file allows XDMCP
> > connections from any host. As you know, this can be used to get a
> > login screen on any host and therefore get around access control
> > mechanisms like tcpwrapper and root login restriction to the console.
> >
> > However, this warning seemed to have little effect as (at least)
> > Digital Unix 4.0E, SuSE Linux 6.1 and Red Hat Linux 6.0 are still
> > (1.5 years later) shipped with this default Xaccess file.
> <snip>
> and with CDE on our Solaris 2.6 machines as well. (I haven't checked
> CDE under 2.7 yet.)
To be fair, it should be noted that the CDE dtlogin that ships
with Solaris (at least >= 2.6, I haven't checked ealier versions)
does _not_ suffer from this vulnerability.
While it is true that by default anyone is allowed to log in
remotely, for remote root login dtlogin checks
/etc/default/login, just like /bin/login does. Try it. Dtlogin
will not let you in.
Michael Herrmann
