Re: xdm cookies fast brute force

From: Roman Drahtmueller (drahtat_private)
Date: Thu Jul 05 2001 - 08:12:42 PDT

Next message: Andrew van der Stock: "RE: xdm cookies fast brute force"

Previous message: VIPER_SV /nerf/team/: "NERF Advisory #4: MS IIS local and remote DoS"
In reply to: Cyril Diakhate: "xdm cookies fast brute force"
Next in thread: Andrew van der Stock: "RE: xdm cookies fast brute force"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>
> Current versions of xdm are sensitive to trivial brute force attack if
> it is compiled with bad options, mainly HasXdmXauth.
>
> Without this option, cookie is generated from gettimeofday(2).  If you
> know starting time of xdm login session, computation of the coookie
> just takes a few seconds.
>
> Necessary conditions for the bug to be exploited :
> - have access to X11 socket (TCP or UNIX) ;
> - know starting date of xdm login session;
> - no need for big computation power (pentium 200MHz should be enough).
>
> Drawbacks due to exploitation of the bug :
> - victim's X server consumes much system resource ;
> - many X server configurations let it generate many logs entries.
>
> Solutions :
> - use good compilation options ;
> - limit access to X11 sockets (start X server with "-nolisten tcp"...)

The supported SuSE Linux distributions (6.3 and later) for the i386, ia64,
ppc, s390 and sparc distributions do have the Wraphelp.c code as well as
the HasXdmAuth option defined and are therefore not vulnerable to the
attack.

The AXP Alpha distributions however do _not_ contain the enhanced
authentication scheme. Please see the upcoming SuSE Security
announcements for more information.

As a temporary workaround for the AXP installation in the wild, run the
X-server on your AXP machine with the
"-nolisten tcp" option. By consequence, the X-server will only be
reachable through the socket in the /tmp/.X11-unix/ directory, connections
from remote clients to the X-server will fail. If you use X11-forwarding
as provided by the ssh (secure shell) or openssh package, you will still
be able to use clients from a remote machine. For this, change the line in
/usr/X11R6/lib/X11/xdm/Xservers to read
:0 local /usr/X11R6/bin/X :0 vt07 -nolisten tcp
, then restart xdm (rcxdm restart). Caution: This will log you out!
Alternatively, you could as well filter the port 6000 (for DISPLAY :0)
on the machine running the X-server using the command
 ipchains -I input -d 0/0 6000 -p tcp -j DENY -l

Be aware that adding the "-nolisten tcp" option to the X-server
commandline or the above firewall rule does not keep a local shell user on
your system from attacking your X-server. In fact, a local attacker will
find it easier to determine the exact time when the session started.

Thanks,
Roman Drahtmüller,
SuSE Security.
-- 
 -                                                                      -
| Roman Drahtmüller      <drahtat_private> //          "Caution: Cape does |
  SuSE GmbH - Security           Phone: //       not enable user to fly."
| Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
 -                                                                      -

Next message: Andrew van der Stock: "RE: xdm cookies fast brute force"
Previous message: VIPER_SV /nerf/team/: "NERF Advisory #4: MS IIS local and remote DoS"
In reply to: Cyril Diakhate: "xdm cookies fast brute force"
Next in thread: Andrew van der Stock: "RE: xdm cookies fast brute force"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 10:17:09 PDT