Date: Mon, 19 Jun 2000 23:51:43 +0100 From: Chris Evans <chris@FERRET.LMH.OX.AC.UK> Subject: XFree86: xdm flaw; present in kdm To: BUGTRAQ@SECURITYFOCUS.COM Hi, Just a minor one this. Discovered during a 5 minute pass of "xdm". I subsequently discovered "kdm" has copied the xdm core xdmcp code. I'm posting this because I think Caldera released an advisory, but a general discussion of the problem did not yet appear on Bugtraq. Further audit of kdm/xdm encouraged; there's quite a lot of it offering listening ports to the open internet... CREDITS ======= Thanks to Olaf Kirch for assisting looking into this. SUMMARY [copied from original discovery mail] ======= xdmcp.c, send_failed() [...] static char buf[256]; [...] sprintf (buf, "Session %d failed for display %s: %s", (int)sessionID, name, reason); As far as I can tell, "name" could well be an arbitrary host name... COMMENTS ======== Anyone doing a more thorough audit (I literally did 5 mins) should check the handling of the various files, e.g. Xauth cookie files. GDM had some problems/race conditions there. An audit is probably needed; I hear a couple of distributions ship kdm as default, and also leave it answering UDP xdmcp requests by default(!) Cheers Chris