> > Basically telneting into port 6000 of the server and typing in random > > gibberish, brings it down. This method of conducting a simple dos against unprotected X servers is already well-known. Most X servers for windows default to accepting all connections to port 6000, making more than the MI/X software vulnerable. Also, I do not think most pc X servers have cookies support - session hijacking and snooping may be possible. On the subject of denial of service attacks, ssh 1.2.26 has a nice one associated with x11 forwarding. Data Fellows, Ltd. were informed of this and a second vulnerability (session confidentiality can be compromised by a second user on the client machine) last month but did not respond. Here is a quick overview: - if $DISPLAY is set on the client machine and the remote server allows X11 forwarding (default), sshd will bind to an available port above 6000 for each subsequent ssh session. - On linux, the first port allocated is 6001 (:1.0); on solaris 2.6, the first is 6010 (:10.0). The second ssh session w/x11 forwarding will bind 6002 under linux, 6011 under solaris, etc. lsof is probably the best tool to use if you have access to both the server and client. - A simple connect() via telnet or a portscanner to the forwarded X server from any remote host will kill the ssh session and any forwarded clients. - Versions 1.2.27 and 2.x drop the connection and report the attempt. I have fully documented this and the second vulnerability mentioned above, but will give Data Fellows some more time to respond - the commercial product is vulnerable to the second attack. If we do not hear back from them in a few days, the exploit documentation will be sent to this list. Regards, Dan
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:06:55 PDT