[jtb@THEO2.PHYSIK.UNI-STUTTGART.DE: XDM Insecurity revisited]
I checked the Xaccess file on a SuSE 6.0 machine near me -- and though I do not know exactly what the thing does, the comments in the file lead me to believe that the poster is correct... check yours! :) vi `locate Xaccess` ----- Forwarded message from Jochen Bauer <jtb@THEO2.PHYSIK.UNI-STUTTGART.DE> ----- Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: BUGTRAQ@SECURITYFOCUS.COM Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM X-Mailer: Mutt 0.95.4i Date: Wed, 18 Aug 1999 12:26:20 +0200 Reply-To: Jochen Bauer <jtb@THEO2.PHYSIK.UNI-STUTTGART.DE> From: Jochen Bauer <jtb@THEO2.PHYSIK.UNI-STUTTGART.DE> Subject: XDM Insecurity revisited X-To: BUGTRAQ@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM On Wed, 26 Nov 1997 Eric Augustus (augustus@stic.net) posted a message on BUGTRAQ about the fact, that the default Xaccess file allows XDMCP connections from any host. As you know, this can be used to get a login screen on any host and therefore get around access control mechanisms like tcpwrapper and root login restriction to the console. However, this warning seemed to have little effect as (at least) Digital Unix 4.0E, SuSE Linux 6.1 and Red Hat Linux 6.0 are still (1.5 years later) shipped with this default Xaccess file. It is somehow ironic that e.g. SuSE now uses tcpwrappers by default on most TCP services in it's distribution and describes the use of tcpwrappers in the manual in a special chapter about security, but fails to close (or even mention) that way to circumvent login restrictions. By the way, If you think that using the cryptographically secured remote management channels with access limited to authorized hosts on your AltaVista Firewall under Digital Unix is the only way of doing remote administration of the firewall, then you should take a close look at your Xaccess file ;-) -- Jochen Bauer ************************************************************ *Network Security Team * *Computer Center of the University of Stuttgart * *Germany * * * *Email: jtb@theo2.physik.uni-stuttgart.de * * jochen.bauer@rus.uni-stuttgart.de * * * *PGP Public Key: * * http://www.theo2.physik.uni-stuttgart.de/jtb.html * ************************************************************ ----- End forwarded message ----- -- Seth Arnold | ICQ 3172483 | http://cswww.willamette.edu/~sarnold/ I prosecute unsolicited bulk emails, using the RealTime BlackHole List. You should too. Ask me how, or visit http://maps.vix.com/rbl/
On Thu, Aug 19, Seth R Arnold wrote:
I checked the Xaccess file on a SuSE 6.0 machine near me -- and though I do not know exactly what the thing does, the comments in the file lead me to believe that the poster is correct...
As far as our developer told me, the poster is incorrect. XDM should never allow root to login over XDMCP connections. I haven't tested it yet, but I hope he will explain it to this list. Thorsten
check yours! :)
vi `locate Xaccess`
----- Forwarded message from Jochen Bauer <jtb@THEO2.PHYSIK.UNI-STUTTGART.DE> -----
Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: BUGTRAQ@SECURITYFOCUS.COM Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM X-Mailer: Mutt 0.95.4i Date: Wed, 18 Aug 1999 12:26:20 +0200 Reply-To: Jochen Bauer <jtb@THEO2.PHYSIK.UNI-STUTTGART.DE> From: Jochen Bauer <jtb@THEO2.PHYSIK.UNI-STUTTGART.DE> Subject: XDM Insecurity revisited X-To: BUGTRAQ@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM
On Wed, 26 Nov 1997 Eric Augustus (augustus@stic.net) posted a message on BUGTRAQ about the fact, that the default Xaccess file allows XDMCP connections from any host. As you know, this can be used to get a login screen on any host and therefore get around access control mechanisms like tcpwrapper and root login restriction to the console.
However, this warning seemed to have little effect as (at least) Digital Unix 4.0E, SuSE Linux 6.1 and Red Hat Linux 6.0 are still (1.5 years later) shipped with this default Xaccess file. It is somehow ironic that e.g. SuSE now uses tcpwrappers by default on most TCP services in it's distribution and describes the use of tcpwrappers in the manual in a special chapter about security, but fails to close (or even mention) that way to circumvent login restrictions.
By the way, If you think that using the cryptographically secured remote management channels with access limited to authorized hosts on your AltaVista Firewall under Digital Unix is the only way of doing remote administration of the firewall, then you should take a close look at your Xaccess file ;-)
--
Jochen Bauer
************************************************************ *Network Security Team * *Computer Center of the University of Stuttgart * *Germany * * * *Email: jtb@theo2.physik.uni-stuttgart.de * * jochen.bauer@rus.uni-stuttgart.de * * * *PGP Public Key: * * http://www.theo2.physik.uni-stuttgart.de/jtb.html * ************************************************************
----- End forwarded message -----
-- Seth Arnold | ICQ 3172483 | http://cswww.willamette.edu/~sarnold/ I prosecute unsolicited bulk emails, using the RealTime BlackHole List. You should too. Ask me how, or visit http://maps.vix.com/rbl/
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@suse.de SuSE GmbH Schanzaeckerstr. 10 90443 Nuernberg Linux is like a Vorlon. It is incredibly powerful, gives terse, cryptic answers and has a lot of things going on in the background.
participants (2)
-
Seth R Arnold -
Thorsten Kukuk