[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Netscape hole without .Xauthority (fwd)




| Jyri Kaljundi wrote:
| > 
| > There's a huge hole in the Netscape remote control mechanism for the
| > X-Windows based clients.
| > Potential impact : anybody can become any user that uses Netscape on any
| > system without sufficient X security.
| 
| Did you bother to read the spec?  This doesn't matter; if I can
| connect to your X server at all, you have already lost.  The spec
| (at http://home.netscape.com/newsref/std/x-remote.html) contains:

[snip]

This is all true, in a way.

But there is a growing number of applications that contains this kind
of remote execution capabilities, and whose security is dependant on
Xauth. I believe that X is soon becoming the weakest link in the
security chain.

I guess we don't have to discuss the quality of the 'magic cookie'
RNG's, do we? Not to mention the fact that the cookie is in effect
a password that is perfectly snoopable.

How common is DES-based Xauth-schemes? They are not used very
much, as far as I know. And if theyare, as in XDM, then again, what
about the RNG?

I guess this is just the distinction of breaking the glass window
in the back of the house, or to pick up the front door key from 
beneath the "Welcome" door mat, but anyway.

-Christian