Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

XFree86: xdm flaw; present in kdm

From: chris () FERRET LMH OX AC UK (Chris Evans)
Date: Mon, 19 Jun 2000 23:51:43 +0100

Hi,

Just a minor one this. Discovered during a 5 minute pass of "xdm". I
subsequently discovered "kdm" has copied the xdm core xdmcp code.

I'm posting this because I think Caldera released an advisory, but a
general discussion of the problem did not yet appear on Bugtraq.

Further audit of kdm/xdm encouraged; there's quite a lot of it offering
listening ports to the open internet...

CREDITS
=======

Thanks to Olaf Kirch for assisting looking into this.

SUMMARY [copied from original discovery mail]
=======

xdmcp.c, send_failed()

[...]
static char buf[256];
[...]
    sprintf (buf, "Session %d failed for display %s: %s",
             (int)sessionID, name, reason);

As far as I can tell, "name" could well be an arbitrary host name...

COMMENTS
========

Anyone doing a more thorough audit (I literally did 5 mins) should check
the handling of the various files, e.g. Xauth cookie files. GDM had some
problems/race conditions there.

An audit is probably needed; I hear a couple of distributions ship kdm as
default, and also leave it answering UDP xdmcp requests by default(!)

Cheers
Chris
Previous By Date Next
Previous By Thread Next

Current thread: