Bugtraq mailing list archives

Re: Is _your_ Netscape under remote control

From: imp () village org (Warner Losh)
Date: Mon, 27 May 1996 09:52:08 -0600


: Still, there is a significant gap between sniffing/denial of service and
: executing shell commands.  From what I've seen, security-conscious X
: clients (such as xterm) have traditionally made sure they ignored
: syntetic keyboard events, and didn't provide any kind of shell-capable
: remote X interface.

Well, that's true iff the events are marked as synthetic.  I have seen
X servers that neglect to mark events as synthetic if you do an
XSendEvent w/o setting the synthetic field to be true.  I once saw a
semonstration of the so-called secure xterm mechanisms where the
terminal was remotely controlled (yes, the secure bits were set, and
we double checked the same program on a different X server and it
worked like the authors had intended).  This was in the R2 server time
frame, so maybe things have changed somewhat since then.

Warner

Current thread:

Re: Is _your_ Netscape under remote control Montserrat Mirman Castillo (May 24)
- Re: your mail Hrvoje Dogan (May 27)
- <Possible follow-ups>
- Re: Is _your_ Netscape under remote control Jeff Uphoff (May 24)
- Re: Is _your_ Netscape under remote control Dominique Avatravaux (May 24)
- Re: Is _your_ Netscape under remote control der Mouse (May 25)
- Re: Is _your_ Netscape under remote control Tim Evans (May 27)
- Re: Is _your_ Netscape under remote control Warner Losh (May 27)