> > Current versions of xdm are sensitive to trivial brute force attack if > it is compiled with bad options, mainly HasXdmXauth. > > Without this option, cookie is generated from gettimeofday(2). If you > know starting time of xdm login session, computation of the coookie > just takes a few seconds. > > Necessary conditions for the bug to be exploited : > - have access to X11 socket (TCP or UNIX) ; > - know starting date of xdm login session; > - no need for big computation power (pentium 200MHz should be enough). > > Drawbacks due to exploitation of the bug : > - victim's X server consumes much system resource ; > - many X server configurations let it generate many logs entries. > > Solutions : > - use good compilation options ; > - limit access to X11 sockets (start X server with "-nolisten tcp"...) The supported SuSE Linux distributions (6.3 and later) for the i386, ia64, ppc, s390 and sparc distributions do have the Wraphelp.c code as well as the HasXdmAuth option defined and are therefore not vulnerable to the attack. The AXP Alpha distributions however do _not_ contain the enhanced authentication scheme. Please see the upcoming SuSE Security announcements for more information. As a temporary workaround for the AXP installation in the wild, run the X-server on your AXP machine with the "-nolisten tcp" option. By consequence, the X-server will only be reachable through the socket in the /tmp/.X11-unix/ directory, connections from remote clients to the X-server will fail. If you use X11-forwarding as provided by the ssh (secure shell) or openssh package, you will still be able to use clients from a remote machine. For this, change the line in /usr/X11R6/lib/X11/xdm/Xservers to read :0 local /usr/X11R6/bin/X :0 vt07 -nolisten tcp , then restart xdm (rcxdm restart). Caution: This will log you out! Alternatively, you could as well filter the port 6000 (for DISPLAY :0) on the machine running the X-server using the command ipchains -I input -d 0/0 6000 -p tcp -j DENY -l Be aware that adding the "-nolisten tcp" option to the X-server commandline or the above firewall rule does not keep a local shell user on your system from attacking your X-server. In fact, a local attacker will find it easier to determine the exact time when the session started. Thanks, Roman Drahtmüller, SuSE Security. -- - - | Roman Drahtmüller <drahtat_private> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 10:17:09 PDT