[21372] in bugtraq
multiple vendors XDM mis-compilation [Was: xdm cookies fast brute force]
daemon@ATHENA.MIT.EDU (Cyril Diakhate)
Fri Jul 6 13:37:44 2001
Message-ID: <007701c1061f$42874a40$0501a8c0@cd.fr>
From: "Cyril Diakhate" <diakhate@easynet.fr>
To: <bugtraq@securityfocus.com>
Date: Fri, 6 Jul 2001 14:25:30 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
a few explanations about this advisory:
- we haven't contacted x.org or xfree because the XFree folks are _not_
concerned. The problem comes from the "HasXdmAuth" option, and it is the
responsability of the vendor to compile his X release with this option
activated. The best way to contact all vendors aware about security without
forgetting one is to post in this list.
- nowadays, XFree86 logs this attack by default (which apparently was not
the case in 1995)
- we are not sure that the 1995 CERT advisory
(http://packetstorm.securify.com/advisories/mci/iMCISE:MIIGS:XVUL:1102:95:P1
:R1) is about the same problem. That one was about poor /dev/random
randomness, possible files rigths misconfiguration (authorithy files
readable by anyone) and so on. Our advisory is about cookie computation in a
few seconds, _not_ depending of the /dev/random randomness quality.
- the solution is in the advisory (compile xdm with "HasXdmXauth" option
activated)
- exploitation of this bug needs local access, remote exploitation is
possible but far much difficult and we didn't post the remote version.
- some vendors (NetBSD, SuSE...) already have a solution (NetBSD 1.5, SuSE
6.3 and + on i386, ia64, ppc, s390 and sparc...)
--
Nicolas MAWART - NtF - ntf@epita.fr
Cyril DIAKHATE - Sky - sky@epita.fr
