SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Xhost Vendors:   [Multiple Authors/Vendors]
OpenBSD's Xhost Access Control Utility for X Servers May Not Properly Restrict Access
SecurityTracker Alert ID:  1002245
SecurityTracker URL:  http://securitytracker.com/id/1002245
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 24 2001
Impact:   Host/resource access via network
Exploit Included:  Yes  

Description:   A vulnerability was reported in OpenBSD's xhost X-windows access control program. The hole allows remote users to access X server resources when they should be blocked by xhost.

It is reported that xhost does not run properly under OpenBSD 2.8 and may allow access when it is configured to deny access to a remote system.

To test your system for the vulnerability, the following steps can reportedly be used:

1. Setup one system running a X server with "xhost -" running and lets
label it "System A".

2. And now for "System B" do the following:

sys_b# echo "Vulnerable" >> /tmp/vuln
sys_b# export DISPLAY=ip of System A:0.0
sys_b# xmessage -file /tmp/vuln &

If the "Vulnerable" flashes on the System A X server, the xhost is vulnerable.

Impact:   A remote user may be able to access a remote X server.
Solution:   No solution was available at the time of this entry.
Cause:   Access control error
Underlying OS:  UNIX (OpenBSD)
Underlying OS Comments:  OpenBSD 2.8

Message History:   None.


 Source Message Contents

Subject:  OpenBSD 2.8 "xhost" filter bug


OpenBSD 2.8 "xhost" filter bug
-------------------------------
Discovered by: Teknophreak of malloc()
--------------

e-mail: tek@mallochackers.com , tek@hackerofmalloc.com


"xhost" is a access control program for X servers. 
Which allows a person to control who can access an X server remotely.
Well a bug exist in "xhost" under OpenBSD 2.8 ( and possibly others )
that may allow any attacker to gain access to the X server even when 
"xhost" filtering is used.
It seems that "xhost" doesn't run properly under OpenBSD 2.8.



Testing if your system is vulnerable:
-------------------------------------

1. Setup one system running a X server with "xhost -" running and lets
label it "System A".

2. And now for "System B" do the following:

sys_b# echo "Vulnerable" >> /tmp/vuln
sys_b# export DISPLAY=ip of System A:0.0
sys_b# xmessage -file /tmp/vuln &

Now if you see the message "Vulnerable" flash on your System A's X server
That you have a vulnerable system.



Quick Fix:
----------

If you insist on running an X server than 
firewall port 6000.












 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC