OpenBSD 2.8 "xhost" filter bug

From: vulnat_private
Date: Fri Aug 24 2001 - 03:30:54 PDT

  • Next message: Martin Markgraf: "CodeRed wormcatcher found on the net"

    OpenBSD 2.8 "xhost" filter bug
    -------------------------------
    Discovered by: Teknophreak of malloc()
    --------------
    
    e-mail: tekat_private , tekat_private
    
    
    "xhost" is a access control program for X servers. 
    Which allows a person to control who can access an X server remotely.
    Well a bug exist in "xhost" under OpenBSD 2.8 ( and possibly others )
    that may allow any attacker to gain access to the X server even when 
    "xhost" filtering is used.
    It seems that "xhost" doesn't run properly under OpenBSD 2.8.
    
    
    
    Testing if your system is vulnerable:
    -------------------------------------
    
    1. Setup one system running a X server with "xhost -" running and lets
    label it "System A".
    
    2. And now for "System B" do the following:
    
    sys_b# echo "Vulnerable" >> /tmp/vuln
    sys_b# export DISPLAY=ip of System A:0.0
    sys_b# xmessage -file /tmp/vuln &
    
    Now if you see the message "Vulnerable" flash on your System A's X server
    That you have a vulnerable system.
    
    
    
    Quick Fix:
    ----------
    
    If you insist on running an X server than 
    firewall port 6000.
    



    This archive was generated by hypermail 2b30 : Fri Aug 24 2001 - 09:02:25 PDT