[LWN Logo]
[Timeline]
Date:         Mon, 19 Jun 2000 23:51:43 +0100
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
Subject:      XFree86: xdm flaw; present in kdm
To: BUGTRAQ@SECURITYFOCUS.COM

Hi,

Just a minor one this. Discovered during a 5 minute pass of "xdm". I
subsequently discovered "kdm" has copied the xdm core xdmcp code.

I'm posting this because I think Caldera released an advisory, but a
general discussion of the problem did not yet appear on Bugtraq.

Further audit of kdm/xdm encouraged; there's quite a lot of it offering
listening ports to the open internet...

CREDITS
=======

Thanks to Olaf Kirch for assisting looking into this.


SUMMARY [copied from original discovery mail]
=======

xdmcp.c, send_failed()

[...]
static char buf[256];
[...]
    sprintf (buf, "Session %d failed for display %s: %s",
             (int)sessionID, name, reason);

As far as I can tell, "name" could well be an arbitrary host name...


COMMENTS
========

Anyone doing a more thorough audit (I literally did 5 mins) should check
the handling of the various files, e.g. Xauth cookie files. GDM had some
problems/race conditions there.

An audit is probably needed; I hear a couple of distributions ship kdm as
default, and also leave it answering UDP xdmcp requests by default(!)

Cheers
Chris