[5115] in bugtraq
Re: XFREE86 can block reserved ports
daemon@ATHENA.MIT.EDU (Alex Belits)
Wed Aug 6 18:30:24 1997
Date: Wed, 6 Aug 1997 08:35:25 -0700
Reply-To: Alex Belits <abelits@PHOBOS.ILLTEL.DENVER.CO.US>
From: Alex Belits <abelits@PHOBOS.ILLTEL.DENVER.CO.US>
X-To: Willy TARREAU <tarreau@AEMIAIF.LIP6.FR>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199708060814.KAA00775@aemiaif.lip6.fr>
On Wed, 6 Aug 1997, Willy TARREAU wrote:
> Hello, and sorry if it is already known stuff.
>
> XFree86, as any X-server, uses TCP ports 6000 and above to listen to,
> waiting for incoming connections. Any user can choose his display number
> simply by starting "X :0" or "X :2500" or "X :any_display".
> The X server automatically chooses its port by adding the display number to
> 6000. But as the ports are 16-bits coded, port 65536 equals 0, so displays
> 59536 to 65535 generate listening sockets on ports 0 to 5999.
>
> And as the X-server runs suid root, any user can use it to block known ports
> before a daemon starts using it. For example, it would be possible to use
> display 59556 = port 20 to prevent ftp server from transfering data with
> remote systems.
This is one more reason to remove setuid bit from X server. xdm starts
local X server just fine.
> It is even possible to run a server on any port <= 1023
> to disable local rlogin/rsh from the local host.
Considering the level of security provided by checking outgoing port
number, creating trouble for the use of this feature can be considered a
security enhancement ;-)
--
Alex
