Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Is _your_ Netscape under remote control
From: espel () clipper ens fr (Roger Espel Llima)
Date: Sat, 25 May 1996 02:11:47 +0200

In short: Netscape can be remote controlled by all users who have access to
someone's X Server.

and if the browsing user has an open X display anyone can then log into
their account. Obviously this would be worse if root was running
Netscape. This could also be used to have an idle netscape visit various
pages of dubious virtue and bookmark them all, then the prankster can
stop by the victim and have a laugh at their expense...

I don't see this as a security problem. If you have access to someone's X
server, that someone's security can easily be compromised. It is possible to
log all keys typed, generate fake keyboard and mouse input, close windows or
just plain quit the X server.

Still, there is a significant gap between sniffing/denial of service and
executing shell commands.  From what I've seen, security-conscious X
clients (such as xterm) have traditionally made sure they ignored
syntetic keyboard events, and didn't provide any kind of shell-capable
remote X interface.

Although un-secured X servers are very much a bad idea, I consider it a
security hole when an X client can be tricked into executing arbitrary
commands via X.

Netscape is a major offender with a documented, easy to use "remote"
interface, but there are others.  GNU Emacs (not XEmacs) will happily
take syntetic (fake) events.

Note that most versions of Netscape are broken in other ways too;
JavaScript code can send email behind your back by filling a hidden form
with action a "mailto:"; and then form.submit()ting it, and several bugs
have been found in Java's bytecode verifier (see the paper at

e-mail: roger.espel.llima () ens fr
WWW & PGP key: http://eleves.ens.fr:8080/home/espel/index.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]