![[LWN Logo]](/images/lc.png) |
|
![[Timeline]](/images/Included.png) |
Date: Mon, 19 Jun 2000 23:51:43 +0100
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
Subject: XFree86: xdm flaw; present in kdm
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
Just a minor one this. Discovered during a 5 minute pass of "xdm". I
subsequently discovered "kdm" has copied the xdm core xdmcp code.
I'm posting this because I think Caldera released an advisory, but a
general discussion of the problem did not yet appear on Bugtraq.
Further audit of kdm/xdm encouraged; there's quite a lot of it offering
listening ports to the open internet...
CREDITS
=======
Thanks to Olaf Kirch for assisting looking into this.
SUMMARY [copied from original discovery mail]
=======
xdmcp.c, send_failed()
[...]
static char buf[256];
[...]
sprintf (buf, "Session %d failed for display %s: %s",
(int)sessionID, name, reason);
As far as I can tell, "name" could well be an arbitrary host name...
COMMENTS
========
Anyone doing a more thorough audit (I literally did 5 mins) should check
the handling of the various files, e.g. Xauth cookie files. GDM had some
problems/race conditions there.
An audit is probably needed; I hear a couple of distributions ship kdm as
default, and also leave it answering UDP xdmcp requests by default(!)
Cheers
Chris