Bugtraq mailing list archives
Re: Reminder for irix ppl/xevents
From: matth () CONNECTNET COM (Matt Harrigan)
Date: Mon, 19 May 1997 10:19:07 -0700
The following has been used, abused, and exploited like mad, however a little reminder may not hurt. In the default setup for irix boxes, xhost is set to global access whenever someone logs in on console (or invokes xdm). There may be some good reason for this default behavior, however it's often a nuissance in situations where one is around a lot of immature ppl just waiting to xdisplay '/usr/bin/X11/endsession -f' to your console.
On a far more unhappy note, ending your session is probably the nicest thing they could do. If someone has access to your X display, they also have control of the resource database for your session, which contains all of the attributes assigned to that session. One of these attributes (AllowSendEvents), controls the receiving of events from a process foreign to the current event in question. I.E., when a window is created, it reads information from RESOURCE_MANAGER and SCREEN_RESOURCES via xrdb, which contains these attributes (like AllowSendEvents). Unfortunately, when someone has r/w access to your display, they have r/w access to the database, and therefore, all of your attributes. All one needs to do at this point is manually utilize xrdb retrieve a copy of the database, modify AllowSendEvents: true, reupload the database, and wait for a user to launch another xterm (so the new attributes can take effect). It is then trivial to write an xevent interjection tool, to send "xterm -display IAMAMEANMANONAMEANHOST:0.0" to the window based on window id, which can also be easily retrieved from the server. Obviously, the command will be executed as whatever user the session belongs to, and im sure quite a few of us log onto the console as root. Matt Harrigan CIO, Microcosm Computer Resources matth () mcr com 415-333-1062
Current thread:
- Vulnerability in Elm-ME+, (continued)
- Vulnerability in Elm-ME+ John Goerzen (May 15)
- Re: Vulnerability in Elm-ME+ Kari E. Hurtta (May 17)
- Finally, most of an exploit for Solaris 2.5.1's ps. Joe Zbiciak (May 17)
- Re: Finally, most of an exploit for Solaris 2.5.1's ps. Adam Morrison (May 19)
- Re: Finally, most of an exploit for Solaris 2.5.1's ps. Joe Zbiciak (May 19)
- Interim solution for ps Joe Zbiciak (May 19)
- Re: Interim solution for ps Steven Kirby (May 19)
- Vulnerability in Elm-ME+ John Goerzen (May 15)
- The rest of the exploit is here! Solaris 2.5.1 ps! Joe Zbiciak (May 18)