5534569 2000-09-30 23:25 /262 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <13015> Ärende: Mandrake 7.1 bypasses Xauthority X session security. ------------------------------------------------------------ From: "Daniel P. Zepeda" <dpz@POBOX.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <00092918312400.20996@rocinante> -----BEGIN PGP SIGNED MESSAGE----- Summary: There is a line in the /etc/X11/Xsession file that bypasses the Xauthority mechanism allowing any local user to connect to another local user's X session. Fix: Remove the following line in the /etc/X11/Xsession file and restart X. /usr/X11R6/bin/xhost + localhost Full Text: While trying to figure out why my ~/.Xclients file would not run, I ran across this line in /etc/X11/Xsession: # Mandrake-Security : if you remove this comment, remove the next line too. /usr/X11R6/bin/xhost + localhost This line disables the Xauthority mechanism on the localhost. Anyone logged into the localhost can arbitrarily connect to an X server running on the localhost. IMHO this is a big security hole. Anyone that can connect to your X server can sniff your keystrokes, see your program output etc. This can easily lead to local root compromise if the administrator logged in through X and executed su - and entered the root password. This may not be so bad for those that use a single machine for each user and don't setup logins for other people on that single machine. But for those of us that have large cycle-server machines that have multiple people allowed to login and run X, this can be a very large hole. I have not tested every installation route, only "development-expert" and "server-custom" both with the high-security option turned on. The offending line is present in the Xsession file on each installation. I suspect that this line is present in all installation routes. I also found that the ssh-agent handling is very poor. The Xsession file does not allow the ~/.Xclients file ever to be run when run under [xkg]dm. When run under [xkg]dm there is no ability to add new keys to the agent automatically. Also, Xsession makes assumptions about the version and usage of SSH that should not be present in the Xsession file, but should be put in the the users ~/.Xclients file. I have attached my revised Xsession and ~/.Xclients file. The ~/.Xclients file should be revised to fit your installation's needs and put in /etc/skel for future new users. All present users should have the revised ~./Xclients file placed in their home directories. Ensure the permissions for the ~/.Xclients file is 0700 and owned by the user. I have not thoroughly tested it in any environment other than our own. You only have to put in my revised Xsession/Xclients if you want the improved ssh-agent handling, it is not necessary to close the security hole. All that is necessary to close the hole is to remove the offending line. I have not notified the vendor because the fix is very easy to make on your own. I suspect that they will see this advisory and act accordingly. Daniel P. Zepeda Lead Administrator University of Texas at San Antonio Computer Science Information Security Laboratory dpz@pobox.com Find my public keys at: http://www.cs.utsa.edu/~dzepeda/PublicKeys.html Start----------------Xsession---------------------- #!/bin/bash -login # Modification for Linux-Mandrake by Chmouel Boudjnah <chmouel@mandraksoft.com> # 20000309, Francis Galiegue <fg@mandrakesoft.com>: imwheel -k added for wheel # mice and braindead-not-supporting-wheel-yet toolkits (this includes Qt...) # # Modified to correctly execute a user's .Xclient, .xinitrc etc. # also corrected usage of ssh-agent. Daniel P. Zepeda <dpz@pobox.com> # redirect errors to a file in user's home directory if we can for errfile in "$HOME/.xsession-errors" "${TMPDIR-/tmp}/xses-$USER" "/tmp/xses-$USER" do if ( cp /dev/null "$errfile" 2> /dev/null ) then chmod 600 "$errfile" exec > "$errfile" 2>&1 break fi done # Mandrake default background xsetroot -solid \#356390 if [ -f /usr/bin/ssh-agent ]; then ssh_agent="/usr/bin/ssh-agent" fi # Set user's client if present - dpz userclient=":" if [ -f "$HOME/.xsession" ]; then userclient="$HOME/.xsession" elif [ -f "$HOME/.Xclients" ]; then userclient="$HOME/.Xclients" elif [ -f "$HOME/.xinitrc" ]; then userclient="$HOME/.xinitrc" fi # clean up after xbanner if [ -f /usr/X11R6/bin/freetemp ]; then freetemp fi userresources=$HOME/.Xresources userresources2=$HOME/.Xdefaults sysresources=/etc/X11/Xresources # merge in defaults and keymaps if [ -f $sysresources ]; then xrdb -merge $sysresources fi if [ -f $userresources ]; then xrdb -merge $userresources fi if [ -f $userresources2 ]; then xrdb -merge $userresources2 fi if [ -x /etc/X11/xinit/fixkeyboard ]; then /etc/X11/xinit/fixkeyboard fi if [ -z "$BROWSER" ] ; then # we need to find a browser on this system BROWSER=`which netscape` if [ -z "$BROWSER" ] || [ ! -e "$BROWSER" ] ; then # not found yet BROWSER= fi fi if [ -z "$BROWSER" ] ; then # we need to find a browser on this system BROWSER=`which lynx` if [ -z "$BROWSER" ] || [ ! -e "$BROWSER" ] ; then # not found yet BROWSER= else BROWSER="xterm -font 9x15 -e lynx" fi fi export BROWSER if [ -x /usr/sbin/chksession ];then LIST=$(/usr/sbin/chksession -l) else LIST="kde Gnome AfterStep Icewm AnotherLevel failsafe" fi # run scripts in /etc/X11/xinit.d for i in /etc/X11/xinit.d/* ; do [ -d $i ] && continue # Don't run ??foo.{rpmsave,rpmorig,rpmnew} scripts [ "${i%.rpmsave}" != "${i}" ] && continue [ "${i%.rpmorig}" != "${i}" ] && continue [ "${i%.rpmnew}" != "${i}" ] && continue if [ -x $i ]; then $i & fi done # now, we see if xdm/gdm/kdm has asked for a specific environment if [ $# = 1 ]; then case $1 in failsafe) exec $ssh_agent xterm -geometry 80x24-0-0 ;; default) ;; *) exec $ssh_agent /bin/sh -c "$userclient; $(/usr/sbin/chksession -x=$1)" ;; esac else # otherwise, take default action if [ "x$userclient" != "x:" ]; then exec $ssh_agent "$userclient" fi # We may try with chksession if [ -x /usr/sbin/chksession ];then #get the first available SESSION=$(/usr/sbin/chksession -F) [ "$SESSIONxxx" != "xxx" ] && exec $ssh_agent sh -c "$(/usr/sbin/chksession -x=$SESSION)" fi # Argh! Nothing good is installed. Fall back to icewm if [ -x /usr/X11R6/bin/icewm-light ];then exec $ssh_agent /usr/X11R6/bin/icewm-light else # gosh, neither fvwm95 nor fvwm2 is available; # fall back to failsafe settings xclock -geometry 100x100-5+5 & xterm -geometry 80x30-50+150 & if [ -x /usr/bin/netscape -a -f /usr/doc/HTML/index.html ]; then netscape /usr/doc/HTML/index.html & fi if [ -x /usr/X11R6/bin/icewm-light ];then exec $ssh_agent icewm-light elif [ -x /usr/X11R6/bin/twm ];then exec $ssh_agent twm fi fi fi # otherwise, take default action if [ "x$userclient" != "x:" ]; then exec $ssh_agent $userclient" elif [ -x /etc/X11/xinit/Xclients ]; then exec $ssh_agent /etc/X11/xinit/Xclients else exec $ssh_agent xsm fi End----------------------Xsession-------------------- Start--------------------~/.Xclients-------------------- # ~/.Xclients # Note that you must *not* put any long running processes in this file # without putting them in the background with `&'. # Ensure user ownership of this file. Ensure permissions are 0700 # Add DSA key to ssh-agent ssh-add ~/.ssh/id_dsa # Add RSA key to ssh-agent ssh-add ~/.ssh/identity End------------------~/.Xclients-------------------------- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: XkX/tOYQCZlR2RE8YX06hAQW9qHNJzk6 iQA/AwUBOdUmVQwzV1P/qsETEQKEvwCaA0LxJ0EhuTz8RLkGPzL7O9mUTc8AoMXW EfyiTmBs7dRWtk51sqa3StHa =Cdav -----END PGP SIGNATURE----- (5534569) ------------------------------------------(Ombruten)