a few explanations about this advisory: - we haven't contacted x.org or xfree because the XFree folks are _not_ concerned. The problem comes from the "HasXdmAuth" option, and it is the responsability of the vendor to compile his X release with this option activated. The best way to contact all vendors aware about security without forgetting one is to post in this list. - nowadays, XFree86 logs this attack by default (which apparently was not the case in 1995) - we are not sure that the 1995 CERT advisory (http://packetstorm.securify.com/advisories/mci/iMCISE:MIIGS:XVUL:1102:95:P1 :R1) is about the same problem. That one was about poor /dev/random randomness, possible files rigths misconfiguration (authorithy files readable by anyone) and so on. Our advisory is about cookie computation in a few seconds, _not_ depending of the /dev/random randomness quality. - the solution is in the advisory (compile xdm with "HasXdmXauth" option activated) - exploitation of this bug needs local access, remote exploitation is possible but far much difficult and we didn't post the remote version. - some vendors (NetBSD, SuSE...) already have a solution (NetBSD 1.5, SuSE 6.3 and + on i386, ia64, ppc, s390 and sparc...) -- Nicolas MAWART - NtF - ntfat_private Cyril DIAKHATE - Sky - skyat_private
This archive was generated by hypermail 2b30 : Fri Jul 06 2001 - 10:38:46 PDT