Vulnerability Development mailing list archives
Re: Possible flaw in XFree?
From: Nuno Branco <branco () markdata pt>
Date: 28 Jun 2002 17:16:41 +0100
try to start your Xserver with the command [root@machine branco]$ startx && exit Maybe it will do the trick :) On Thu, 2002-06-27 at 20:06, William N. Zanatta wrote:
Hi folks, Talking about some bad experiences with my friend, I discovered (he told me) it is possible to abort a X session even when the screen is locked by some kind of application like 'xlock'. I have made the following test: 1. Logged into the system as 'william' (a normal non-privileged user). 2. startx 3. Run xlock ... the screen is now locked... 4. Tried a hit on some keys. The password screen appears. 5. Then, 'ctrl-alt-backspace' and voila... X is down and my console is there, opened for me. I see this as a serious problem once one could let his/her X session opened and locked and anyone who have access to that machine could abort the X session and start playing around with the logged user's shell (which could be the root shell). What about that? Tested on: ------------------------------------- XFree86 Version 4.1.0 / X Window System (protocol Version 11, revision 0, vendor release 6510) Release Date: 2 June 2001 If the server is older than 6-12 months, or if your card is newer than the above date, look for a newer version before reporting problems. (See http://www.XFree86.Org/FAQ) Build Operating System: Linux 2.2.19 i686 [ELF] ------------------------------------- Regards, William Zanatta -- Perl combines all of the worst aspects of BASIC, C and line noise. -- Keith Packard
-- Atentamente, Nuno Branco MARKDATA Rua Padre Luis Aparicio, 10 - 5ยบ 1150-248 Lisboa Telefone: 213173400 Fax: 213155046 http://www.markdata.net/
Current thread:
- Possible flaw in XFree? William N. Zanatta (Jun 28)
- Re: Possible flaw in XFree? Philip Rowlands (Jun 28)
- Re: Possible flaw in XFree? Jedi/Sector One (Jun 28)
- Re: Possible flaw in XFree? mdonnelly (Jun 28)
- Re: Possible flaw in XFree? Vanja Hrustic (Jun 28)
- Re: Possible flaw in XFree? Valdis . Kletnieks (Jun 28)
- Re: Possible flaw in XFree? Nuno Branco (Jun 28)
- Re: Possible flaw in XFree? Vilmos Soti (Jun 28)
- Message not available
- Re: Possible flaw in XFree? William N. Zanatta (Jun 28)
- Re: Possible flaw in XFree? Nick Lange (Jun 28)
- Re: Possible flaw in XFree? Timothy J . Miller (Jun 29)
- Re: Possible flaw in XFree? strange (Jun 28)
- Re: Possible flaw in XFree? Ross Nelson (Jun 29)
- Re: Possible flaw in XFree? Michael Jennings (Jun 29)
- Simple Wais 1.11 allows users to execute commands as SWAIS deamon. John Thornton (Jun 29)
- Re: Possible flaw in XFree? William N. Zanatta (Jun 28)
- Re: Possible flaw in XFree? Edsel Adap (Jun 29)