[2644] in bugtraq
Re: netscape remote control - so what?
daemon@ATHENA.MIT.EDU (martinh@mailhost.emap.co.uk)
Tue May 28 11:33:08 1996
Date: Tue, 28 May 1996 08:25:22 +0000
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: martinh@mailhost.emap.co.uk
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <9605270435.AA16507@java.sg.fp.cibcwg.com>
On Mon, 27 May 1996, Justin Beech wrote:
> I think this discussion is pretty silly it seems just a forum for people
> to vent some kind of weird angst over netscape. (the last post mentioning
> "netscrape" demonstrates this clearly).
OK. The problems I see with this over the usual X attacks are:
That this allows you to write to the filesystem very nearly
invisibly.
That the attack is so easy, most sites have Netscape, and this is a
complete no-brainer even for people who couldn't compile xkeys,
etc to save their lives.
The very high deployment of the software which is both the attack
and the target.
Although the WWW server is _not_ intended to be the client the
attack I mentioned is pretty easy to implement since rather than
probing for X displays you only need to look for X in the client
string and have a little poke at port 6000. If it's open you have
a shell account, if it's not they potential victim has no log of
your probe. I'd consider this a problem if my site had a lot of X
displays.
> If anyone is silly enough to run a server xhost + to untrusted machines
> then they deserve all the security problems they get, and shouldnt bore
> people on this list with horror stories of what this allows someone to
> do with one particular software package.
You may be in that position, but there _are_ places with large user bases
that can have trouble sorting this out (e.g. large X Terminal labs for
University students, running from a central server which would be
compromised by any one of these terminals have bad X access, say some
students are playing with X and the server gets compromised? The admins
deserve it?)
> Why not take shots at all the other packages vulnerable to xhost +?
I don't think anyone is "taking shots" (well, except maybe the
"netscrape" poster. This is genuine concern. Open X displays have always
been a problem but it has never been so easy to exploit (one line from
any dumb user on any system running Netscape), and it is unusual for it
to be so easy to write to the filesystem (without prompting).
> Remote control using operating
> system or desktop APIs is a very useful for lots and lots of reasons
> and any security issues with this are to be placed at the feet of the
> OS or desktop design, not a software vendor --
IMHO the software vendor should have made this an option which needed to
be explicitly turned on. Mosaic does this with the CCI interface. It's
surely a useful feature, for training, displays, etc. but personally I
feel it has been implemented to be too permissive.
> and I dont see this thread
> raising any new security issues there, so can we drop it please?
Got many X terminals with dumb users on them?
> -Justin.
Regards,
Martin.
##################################################################
# Martin Hargreaves (martin@datamodl.demon.co.uk) Computational #
# Director, Datamodel Ltd Chemist #
# Contract Unix system admin/Unix security Sysadmin #
##################################################################
