[15385] in bugtraq
XFree86: xdm flaw; present in kdm
daemon@ATHENA.MIT.EDU (Chris Evans)
Mon Jun 19 19:50:13 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0006192325410.19998-100000@ferret.lmh.ox.ac.uk>
Date: Mon, 19 Jun 2000 23:51:43 +0100
Reply-To: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
Just a minor one this. Discovered during a 5 minute pass of "xdm". I
subsequently discovered "kdm" has copied the xdm core xdmcp code.
I'm posting this because I think Caldera released an advisory, but a
general discussion of the problem did not yet appear on Bugtraq.
Further audit of kdm/xdm encouraged; there's quite a lot of it offering
listening ports to the open internet...
CREDITS
=======
Thanks to Olaf Kirch for assisting looking into this.
SUMMARY [copied from original discovery mail]
=======
xdmcp.c, send_failed()
[...]
static char buf[256];
[...]
sprintf (buf, "Session %d failed for display %s: %s",
(int)sessionID, name, reason);
As far as I can tell, "name" could well be an arbitrary host name...
COMMENTS
========
Anyone doing a more thorough audit (I literally did 5 mins) should check
the handling of the various files, e.g. Xauth cookie files. GDM had some
problems/race conditions there.
An audit is probably needed; I hear a couple of distributions ship kdm as
default, and also leave it answering UDP xdmcp requests by default(!)
Cheers
Chris
