[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Mandrake 7.1 bypasses Xauthority X session security

Title: Mandrake 7.1 bypasses Xauthority X session security
Released by:
Date: 30th September 2000
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----



Summary:



There is a line in the /etc/X11/Xsession file that bypasses the Xauthority

mechanism allowing any local user to connect to another local user's X session.



Fix:



Remove the following line in the /etc/X11/Xsession file and restart X.



/usr/X11R6/bin/xhost + localhost





Full Text:





While trying to figure out why my ~/.Xclients file would not run, I ran across

this line in /etc/X11/Xsession:



# Mandrake-Security : if you remove this comment, remove the next line too.

/usr/X11R6/bin/xhost + localhost



This line disables the Xauthority mechanism on the localhost. Anyone logged

into the localhost can arbitrarily connect to an X server running on the

localhost. IMHO this is a big security hole. Anyone that can connect to your X

server can sniff your keystrokes, see your program output etc. This can easily

lead to local root compromise if the administrator logged in through X and

executed su - and entered the root password.



This may not be so bad for those that use a single machine for each user and

don't setup logins for other people on that single machine. But for those of us

that have large cycle-server machines that have multiple people allowed to

login and run X, this can be a very large hole.



I have not tested every installation route, only "development-expert" and

"server-custom" both with the high-security option turned on. The offending

line is present in the Xsession file on each installation. I suspect that this

line is present in all installation routes.



I also found that the ssh-agent handling is very poor. The Xsession file does

not allow the ~/.Xclients file ever to be run when run under [xkg]dm. When run

under [xkg]dm there is no ability to add new keys to the agent

automatically. Also, Xsession makes assumptions about the version and usage of

SSH that should not be present in the Xsession file, but should be put in the

the users ~/.Xclients file.



I have attached my revised Xsession and ~/.Xclients file. The ~/.Xclients file

should be revised to fit your installation's needs and put in /etc/skel for

future new users. All present users should have the revised ~./Xclients file

placed in their home directories. Ensure the permissions for the ~/.Xclients

file is 0700 and owned by the user. I have not thoroughly tested it in any

environment other than our own.



You only have to put in my revised Xsession/Xclients if you want the improved

ssh-agent handling, it is not necessary to close the security hole. All that is

necessary to close the hole is to remove the offending line.



I have not notified the vendor because the fix is very easy to make on your

own. I suspect that they will see this advisory and act accordingly.





Daniel P. Zepeda

Lead Administrator

University of Texas at San Antonio

Computer Science Information Security Laboratory

dpz@pobox.com

Find my public keys at:

http://www.cs.utsa.edu/~dzepeda/PublicKeys.html





Start----------------Xsession----------------------



#!/bin/bash -login

# Modification for Linux-Mandrake by Chmouel Boudjnah 

# 20000309, Francis Galiegue : imwheel -k added for wheel

# mice and braindead-not-supporting-wheel-yet toolkits (this includes Qt...)

#

# Modified to correctly execute a user's .Xclient, .xinitrc etc.

# also corrected usage of ssh-agent. Daniel P. Zepeda 



# redirect errors to a file in user's home directory if we can



for errfile in "$HOME/.xsession-errors" "${TMPDIR-/tmp}/xses-$USER" "/tmp/xses-$USER"

do

    if ( cp /dev/null "$errfile" 2> /dev/null )

    then

chmod 600 "$errfile"

exec > "$errfile" 2>&1

break

    fi

done



# Mandrake default background

xsetroot -solid \#356390



if [ -f /usr/bin/ssh-agent ]; then

    ssh_agent="/usr/bin/ssh-agent"

fi



# Set user's client if present - dpz

userclient=":"

if [ -f "$HOME/.xsession" ]; then

    userclient="$HOME/.xsession"

elif [ -f "$HOME/.Xclients" ]; then

    userclient="$HOME/.Xclients"

elif [ -f "$HOME/.xinitrc" ]; then

    userclient="$HOME/.xinitrc"

fi



# clean up after xbanner

if [ -f /usr/X11R6/bin/freetemp ]; then

    freetemp

fi



userresources=$HOME/.Xresources

userresources2=$HOME/.Xdefaults

sysresources=/etc/X11/Xresources



# merge in defaults and keymaps

if [ -f $sysresources ]; then

    xrdb -merge $sysresources

fi



if [ -f $userresources ]; then

    xrdb -merge $userresources

fi



if [ -f $userresources2 ]; then

    xrdb -merge $userresources2

fi



if [ -x /etc/X11/xinit/fixkeyboard ]; then

    /etc/X11/xinit/fixkeyboard

fi



if [ -z "$BROWSER" ] ; then

# we need to find a browser on this system

BROWSER=`which netscape`

if [ -z "$BROWSER" ] || [ ! -e "$BROWSER" ] ; then

# not found yet

BROWSER=

fi

fi



if [ -z "$BROWSER" ] ; then

# we need to find a browser on this system

BROWSER=`which lynx`

if [ -z "$BROWSER" ] || [ ! -e "$BROWSER" ] ; then

# not found yet

BROWSER=

else

BROWSER="xterm -font 9x15 -e lynx"

fi

fi

export BROWSER



if [ -x /usr/sbin/chksession ];then

    LIST=$(/usr/sbin/chksession -l)

else

    LIST="kde Gnome AfterStep Icewm AnotherLevel failsafe"

fi



# run scripts in /etc/X11/xinit.d

for i in /etc/X11/xinit.d/* ; do

    [ -d $i ] && continue

    # Don't run ??foo.{rpmsave,rpmorig,rpmnew} scripts

    [ "${i%.rpmsave}" != "${i}" ] && continue

    [ "${i%.rpmorig}" != "${i}" ] && continue

    [ "${i%.rpmnew}" != "${i}" ] && continue



    if [ -x $i ]; then

$i &

    fi

done



# now, we see if xdm/gdm/kdm has asked for a specific environment

if [ $# = 1 ]; then

    case $1 in

    failsafe)

exec $ssh_agent xterm -geometry 80x24-0-0

;;

default)

;;

*)

exec $ssh_agent /bin/sh -c "$userclient; $(/usr/sbin/chksession -x=$1)"

;;

    esac

else

    # otherwise, take default action

    if [ "x$userclient" != "x:" ]; then

    exec $ssh_agent "$userclient"

    fi



    # We may try with chksession

    if [ -x /usr/sbin/chksession ];then

    #get the first available

SESSION=$(/usr/sbin/chksession -F)

[ "$SESSIONxxx" != "xxx" ] && exec $ssh_agent sh -c "$(/usr/sbin/chksession -x=$SESSION)"

    fi



    # Argh! Nothing good is installed. Fall back to icewm

    if [ -x /usr/X11R6/bin/icewm-light ];then

exec $ssh_agent /usr/X11R6/bin/icewm-light

    else

# gosh, neither fvwm95 nor fvwm2 is available;

# fall back to failsafe settings

xclock -geometry 100x100-5+5 &

xterm -geometry 80x30-50+150 &

if [ -x /usr/bin/netscape -a -f /usr/doc/HTML/index.html ]; then

    netscape /usr/doc/HTML/index.html &

fi

if [ -x /usr/X11R6/bin/icewm-light ];then

    exec $ssh_agent icewm-light

elif [ -x /usr/X11R6/bin/twm ];then

    exec $ssh_agent twm

fi

    fi

fi



# otherwise, take default action

if [ "x$userclient" != "x:" ]; then

    exec $ssh_agent $userclient"

elif [ -x /etc/X11/xinit/Xclients ]; then

    exec $ssh_agent /etc/X11/xinit/Xclients

else

    exec $ssh_agent xsm

fi



End----------------------Xsession--------------------



Start--------------------~/.Xclients--------------------



# ~/.Xclients

# Note that you must *not* put any long running processes in this file

# without putting them in the background with `&'.

# Ensure user ownership of this file. Ensure permissions are 0700



# Add DSA key to ssh-agent

ssh-add  ~/.ssh/id_dsa



# Add RSA key to ssh-agent

ssh-add  ~/.ssh/identity



End------------------~/.Xclients--------------------------







-----BEGIN PGP SIGNATURE-----

Version: PGPfreeware 5.0i for non-commercial use

MessageID: XkX/tOYQCZlR2RE8YX06hAQW9qHNJzk6



iQA/AwUBOdUmVQwzV1P/qsETEQKEvwCaA0LxJ0EhuTz8RLkGPzL7O9mUTc8AoMXW

EfyiTmBs7dRWtk51sqa3StHa

=Cdav

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.