Bugtraq mailing list archives
Re: X11 cookie hijacker
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Wed, 4 Nov 1998 10:16:45 +0100
Evil grin. It has already been told a million times: you are asking for a problem if your /tmp/.X11-unix (and/or /tmp/.X11-pipe on Solaris) has the permission bits allowing other users to play games with its contents.
Please note that with the latest Solaris 2.5.1 patches (not sure about the Solaris 2.6 status of same) as well in Solaris 7, the permissions of /tmp/.X11-* are: drwxrwxr-x 2 root root 104 Nov 3 08:59 /tmp/.X11-pipe/ drwxrwxr-x 2 root root 104 Nov 3 08:59 /tmp/.X11-unix/ (This is no problem when Xsun is started by root through dtlogin; since it's only set-gid root, it's slightly trickier when started from the command line)
- set the sticky bit on /tmp/.X11-unix, make sure the bit stays there
Unfortunately, some systems will allow users to remove such directories from /tmp (This is what happened when SV got their hands on the sticky bit and messed with it)
- make it world-unwritable, make sure it stays this way (this works if all your Xservers run with some extra privileges)
This is what Sun has done (the servers already run set-uid root (x86) or set-gid root (SPARC) to access devices (x86) and change the priority of processes with the input focus (both)
- special Solaris option: put /tmp/.X11-{unix,pipe} into /etc/logindevperm (assumption: the user sitting at the console is the only who uses X)
Ugh; that might not be such a hot idea; /etc/logindevperm will gladly follows symbolic links for chowns (has to for devices) and once you own /tmp/.X11-* you can remove it, replace it with a link and logout and back in again.
- abolish Unix-domain X11 sockets and use TCP only (giving up MIT-SHM etc)
Which is really hard to do with X11R6.4 which will go through hoops to find out whether the hostname to connect to is local; and if so, use local transport. Casper
Current thread:
- X11 cookie hijacker Pavel Kankovsky (Nov 02)
- SSHD Exploit Justin Foutts (Nov 01)
- ISS Security Advisory: BMC PATROL File Creation Vulnerability X-Force (Nov 02)
- Re: X11 cookie hijacker David Dawes (Nov 02)
- Re: X11 cookie hijacker Alan Cox (Nov 03)
- Re: X11 cookie hijacker Olaf Kirch (Nov 05)
- [rootshell] Security Bulletin #25 Aleph One (Nov 03)
- Re: X11 cookie hijacker Willy TARREAU (Nov 04)
- Re: X11 cookie hijacker Casper Dik (Nov 04)
- <Possible follow-ups>
- Re: X11 cookie hijacker der Mouse (Nov 04)
- Regarding the reported DOS against the internal interface of a WatchGuard Rapid Response (Nov 04)
- IE 4.x does not appear to save custom security settings John Schultz (Nov 04)
- Re: X11 cookie hijacker David Dawes (Nov 04)
- xlock mishandles malformed .signature/.plan Aaron Campbell (Nov 04)
- Making xlock setuid root Stefan Rompf (Nov 06)