linux, säkerhet

5534569 2000-09-30  23:25  /262 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13015>
Ärende: Mandrake 7.1 bypasses Xauthority X session security.
------------------------------------------------------------
From: "Daniel P. Zepeda" <dpz@POBOX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <00092918312400.20996@rocinante>

-----BEGIN PGP SIGNED MESSAGE-----

Summary:

There is a line in the /etc/X11/Xsession file that bypasses the
Xauthority mechanism allowing any local user to connect to another
local user's X session.

Fix:

Remove the following line in the /etc/X11/Xsession file and restart X.

/usr/X11R6/bin/xhost + localhost


Full Text:


While trying to figure out why my ~/.Xclients file would not run, I
ran across this line in /etc/X11/Xsession:

# Mandrake-Security : if you remove this comment, remove the next line too.
/usr/X11R6/bin/xhost + localhost

This line disables the Xauthority mechanism on the localhost. Anyone
logged into the localhost can arbitrarily connect to an X server
running on the localhost. IMHO this is a big security hole. Anyone
that can connect to your X server can sniff your keystrokes, see your
program output etc. This can easily lead to local root compromise if
the administrator logged in through X and executed su - and entered
the root password.

This may not be so bad for those that use a single machine for each
user and don't setup logins for other people on that single
machine. But for those of us that have large cycle-server machines
that have multiple people allowed to login and run X, this can be a
very large hole.

I have not tested every installation route, only "development-expert"
and "server-custom" both with the high-security option turned on. The
offending line is present in the Xsession file on each
installation. I suspect that this line is present in all installation
routes.

I also found that the ssh-agent handling is very poor. The Xsession
file does not allow the ~/.Xclients file ever to be run when run
under [xkg]dm. When run under [xkg]dm there is no ability to add new
keys to the agent automatically. Also, Xsession makes assumptions
about the version and usage of SSH that should not be present in the
Xsession file, but should be put in the the users ~/.Xclients file.

I have attached my revised Xsession and ~/.Xclients file. The
~/.Xclients file should be revised to fit your installation's needs
and put in /etc/skel for future new users. All present users should
have the revised ~./Xclients file placed in their home
directories. Ensure the permissions for the ~/.Xclients file is 0700
and owned by the user. I have not thoroughly tested it in any
environment other than our own.

You only have to put in my revised Xsession/Xclients if you want the
improved ssh-agent handling, it is not necessary to close the
security hole. All that is necessary to close the hole is to remove
the offending line.

I have not notified the vendor because the fix is very easy to make
on your own. I suspect that they will see this advisory and act
accordingly.


Daniel P. Zepeda
Lead Administrator
University of Texas at San Antonio
Computer Science Information Security Laboratory
dpz@pobox.com
Find my public keys at:
http://www.cs.utsa.edu/~dzepeda/PublicKeys.html


Start----------------Xsession----------------------

#!/bin/bash -login
# Modification for Linux-Mandrake by Chmouel Boudjnah <chmouel@mandraksoft.com>
# 20000309, Francis Galiegue <fg@mandrakesoft.com>: imwheel -k added for wheel
# mice and braindead-not-supporting-wheel-yet toolkits (this includes Qt...)
#
# Modified to correctly execute a user's .Xclient, .xinitrc etc.
# also corrected usage of ssh-agent. Daniel P. Zepeda <dpz@pobox.com>

# redirect errors to a file in user's home directory if we can

for errfile in "$HOME/.xsession-errors" "${TMPDIR-/tmp}/xses-$USER" "/tmp/xses-$USER"
do
    if ( cp /dev/null "$errfile" 2> /dev/null )
    then
	chmod 600 "$errfile"
	exec > "$errfile" 2>&1
	break
    fi
done

# Mandrake default background
xsetroot -solid \#356390

if [ -f /usr/bin/ssh-agent ]; then
    ssh_agent="/usr/bin/ssh-agent"
fi

# Set user's client if present - dpz
userclient=":"
if [ -f "$HOME/.xsession" ]; then
    userclient="$HOME/.xsession"
elif [ -f "$HOME/.Xclients" ]; then
    userclient="$HOME/.Xclients"
elif [ -f "$HOME/.xinitrc" ]; then
    userclient="$HOME/.xinitrc"
fi

# clean up after xbanner
if [ -f /usr/X11R6/bin/freetemp ]; then
    freetemp
fi

userresources=$HOME/.Xresources
userresources2=$HOME/.Xdefaults
sysresources=/etc/X11/Xresources

# merge in defaults and keymaps
if [ -f $sysresources ]; then
    xrdb -merge $sysresources
fi

if [ -f $userresources ]; then
    xrdb -merge $userresources
fi

if [ -f $userresources2 ]; then
    xrdb -merge $userresources2
fi

if [ -x /etc/X11/xinit/fixkeyboard ]; then
    /etc/X11/xinit/fixkeyboard
fi

if [ -z "$BROWSER" ] ; then
	# we need to find a browser on this system
	BROWSER=`which netscape`
	if [ -z "$BROWSER" ] || [ ! -e "$BROWSER" ] ; then
	# not found yet
		BROWSER=
	fi
fi

if [ -z "$BROWSER" ] ; then
	# we need to find a browser on this system
	BROWSER=`which lynx`
	if [ -z "$BROWSER" ] || [ ! -e "$BROWSER" ] ; then
	# not found yet
		BROWSER=
	else
		BROWSER="xterm -font 9x15 -e lynx"
	fi
fi
export BROWSER

if [ -x /usr/sbin/chksession ];then
    LIST=$(/usr/sbin/chksession -l)
else
    LIST="kde Gnome AfterStep Icewm AnotherLevel failsafe"
fi

# run scripts in /etc/X11/xinit.d
for i in /etc/X11/xinit.d/* ; do
    [ -d $i ] && continue
    # Don't run ??foo.{rpmsave,rpmorig,rpmnew} scripts
    [ "${i%.rpmsave}" != "${i}" ] && continue
    [ "${i%.rpmorig}" != "${i}" ] && continue
    [ "${i%.rpmnew}" != "${i}" ] && continue

    if [ -x $i ]; then
	$i &
    fi
done

# now, we see if xdm/gdm/kdm has asked for a specific environment
if [ $# = 1 ]; then
    case $1 in
    	failsafe)
	exec $ssh_agent xterm -geometry 80x24-0-0
	;;
	default)
	;;
	*)
	exec $ssh_agent /bin/sh -c "$userclient; $(/usr/sbin/chksession -x=$1)"
	;;
    esac
else
    # otherwise, take default action
    if [ "x$userclient" != "x:" ]; then
    	exec $ssh_agent "$userclient"
    fi

    # We may try with chksession
    if [ -x /usr/sbin/chksession ];then
    #get the first available
	SESSION=$(/usr/sbin/chksession -F)
	[ "$SESSIONxxx" != "xxx" ] && exec $ssh_agent sh -c "$(/usr/sbin/chksession -x=$SESSION)"
    fi

    # Argh! Nothing good is installed. Fall back to icewm
    if [ -x /usr/X11R6/bin/icewm-light ];then
	exec $ssh_agent /usr/X11R6/bin/icewm-light
    else
	# gosh, neither fvwm95 nor fvwm2 is available;
	# fall back to failsafe settings
	xclock -geometry 100x100-5+5 &
	xterm -geometry 80x30-50+150 &
	if [ -x /usr/bin/netscape -a -f /usr/doc/HTML/index.html ]; then
	    netscape /usr/doc/HTML/index.html &
	fi
	if [ -x /usr/X11R6/bin/icewm-light ];then
	    exec $ssh_agent icewm-light
	elif [ -x /usr/X11R6/bin/twm ];then
	    exec $ssh_agent twm
	fi
    fi
fi

# otherwise, take default action
if [ "x$userclient" != "x:" ]; then
    exec $ssh_agent $userclient"
elif [ -x /etc/X11/xinit/Xclients ]; then
    exec $ssh_agent /etc/X11/xinit/Xclients
else
    exec $ssh_agent xsm
fi

End----------------------Xsession--------------------

Start--------------------~/.Xclients--------------------

# ~/.Xclients
# Note that you must *not* put any long running processes in this file
# without putting them in the background with `&'.
# Ensure user ownership of this file. Ensure permissions are 0700

# Add DSA key to ssh-agent
ssh-add  ~/.ssh/id_dsa

# Add RSA key to ssh-agent
ssh-add  ~/.ssh/identity

End------------------~/.Xclients--------------------------



-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: XkX/tOYQCZlR2RE8YX06hAQW9qHNJzk6

iQA/AwUBOdUmVQwzV1P/qsETEQKEvwCaA0LxJ0EhuTz8RLkGPzL7O9mUTc8AoMXW
EfyiTmBs7dRWtk51sqa3StHa
=Cdav
-----END PGP SIGNATURE-----
(5534569) ------------------------------------------(Ombruten)