SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   X Display Manager Control Protocol (XDMCP) Vendors:   [Multiple Authors/Vendors]
X Display Manager Control Protocol (XDMCP) Default Configuration Lets Remote Users Determine Valid User Names on the System and Gain Access to a Remote Console Login Screen
SecurityTracker Alert ID:  1003832
SecurityTracker URL:  http://securitytracker.com/id/1003832
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 15 2002
Impact:   Disclosure of system information, Host/resource access via network
Fix Available:  Yes  Exploit Included:  Yes  

Description:   ProCheckUp issued a security advisory for the X Display Manager Control Protocol (XDMCP) implementation on several Linux and UNIX operating systems. A remote user can gain access to a login screen and can view valid user names on the system.

It is reported that the default configuration of XDMCP on some operating systems allows remote users to gain access to a graphical login screen from any remote host.

On Mandrake Linux, the screen reportedly allows root logins and displays the available valid user names before the user authenticates. On Solaris, it is reported that root logins are not permitted.

A remote user can obtain a remote console with the following command:

X :2 -query IPADDRESS

ProCheckUp states that this vulnerability has existed for many years.

It is reported that RedHat 7.2 is not affected. The other systems tested by ProCheckUp were Mandrake Linux and Sun Solaris. No other systems were tested.

Impact:   A remote user can gain access to a remote console login screen. A remote user can determine valid user account names on the system.
Solution:   No vendor solution was available at the time of this entry.

The author of the report has provided the following fix:

Disable remote connects (See Below.)
Filter port 177 UDP. On some versions of Sun Solaris the XDMCP protocol also appears on ports around 32000.

LINUX
1. Login as root.
2. Open /etc/X11/kdm/Xaccess in editor.
3. Comment out the following two lines, by adding "#" (without quotes) to the beginning of each line: * #any host can get a login window * CHOOSER BROADCAST #any indirect host can get a chooser
4. Save your changes, and then close the file.


SOLARIS
1. Login as root.
2. Open/etc/dt/config/Xaccess or /usr/dt/config/Xaccess in editor.
3. Comment out the following two lines, by adding "#" (without quotes) to the beginning of each line: * #any host can get a login window * CHOOSER BROADCAST #any indirect host can get a chooser
4. Save your changes, and then close the file.

Cause:   Access control error, Configuration error
Underlying OS:  Linux (Any), UNIX (Solaris - SunOS)
Underlying OS Comments:  Mandrake 8.0, Solaris 2.6 (intel and sparc), and Solaris 7 (sparc); Solaris 8 not tested but believed to be vulnerable

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Mandrake Issues Fix) X Display Manager Control Protocol (XDMCP) Default Configuration Lets Remote Users Determine Valid User Names on the System and Gain Access to a Remote Console Login Screen
The vendor has released a fix.



 Source Message Contents

Subject:  ProCheckUp Security Bulletin PR02-08


Vulnerabilities discovered by ProCheckUp

The vulnerabilities detailed below were all discovered using our
revolutionary ProCheckNet technology. 

15th March 2002:
ProCheckUp Security Bulletin PR02-08

CERT: VU#10968 
Description:Popular Unix OS allow by default XDMCP (X Display Manager
Control Protocol) connections from any host.

Date: 28/02/2002
Date Public: 15/03/2002
Vulnerable OS:

Linux Mandrake versions 8.0.
Solaris 2.6 (intel).
Solaris 2.6 Sparc, Solaris 7 Sparc.
Strongly suspect that Solaris 8 is also vulnerable but not completely
tested.

Non Vulnerable OS: 

RedHat 7.2

Platform: Solaris/Linux/Unix
Severity: Anonymous attackers can obtain a graphical display, obtain a
list of users, shutdown a machine and possibly gain remote control.
Author: Richard Brain 
Vendor Status: 
CVE Candidate: Not assigned 

Reference: www.procheckup.com/security_info/vuln_pr0208.html

Description:

The default configuration of XDMCP in Linux Mandrake and Solaris gives
remote attackers access to a graphical login screen from a remote
system. It uses the X Display Manager Control Protocol (XDMCP), which
has been configured to accept XDMCP connections from all remote hosts,
allowing an attacker to access the login screen from any host to
retrieve sensitive information.

Despite being UDP based we have found remote console XDMCP connections
across the Internet to be stable, ProCheckNet has found a significant
number of our customers machines are vulnerable.

We have tested the vulnerability on Solaris, Linux-Mandrake and Redhat.

Linux-Mandrake is the most insecure as it allowed root login, and also
displayed with icons the users names available on the system prior to
authentication.
Solaris refused 'root' login, however other users than root were still
able to gain access.

An attacker simply issues the command "X :2 -query IPADDRESS", to obtain
an remote console. Custom display resolution settings and color depth
may also be needed to connect to Sun workstations.

Consequences: 

Remote control of system.

Comment:

Although this vulnerability has been possible for many years but has
never been discovered because of the human assumptions made about
hardware, software and the possibilities of hacking them. Standard
scanners would not have found it because of the linear way they function
and because it is not a published vulnerability; Human intelligence has
flirted with it but did not go all the way due to the pre-conceptions
regarding other protocols and existing methods of attack (DOS etc). The
artificial intelligence of ProCheckUp and tools "protocol specialists"
discovered it simply because it was there

ProCheckUp was able to find this vulnerability because of the unique way
it identifies the environment and explores for open services and
responses. Then it will formulate an attack customised to that
environment.  In this case it engaged the XDMCP connection and tried
many permutations of conversation with it. The end result was a remote
connection being offered that could enable an attacker to log on, via
ROOT on certain platforms, and start, stop or disrupt services.

Platforms Affected:

Linux Mandrake versions 8.0.
Solaris 2.6 (intel).
Solaris 2.6 Sparc, Solaris 7 Sparc.

Solution/Fix: 

Disable remote connects (See Below.)
Filter port 177 UDP. On some versions of Sun Solaris the XDMCP protocol
also appears on ports around 32000.

LINUX
1. Login as root.
2. Open /etc/X11/kdm/Xaccess in editor. 
3. Comment out the following two lines, by adding "#" (without quotes)
to the beginning of each line: *
#any host can get a login window * CHOOSER BROADCAST #any indirect host
can get a chooser 
4. Save your changes, and then close the file. 


SOLARIS
1. Login as root. 
2. Open/etc/dt/config/Xaccess or /usr/dt/config/Xaccess in editor. 
3. Comment out the following two lines, by adding "#" (without quotes)
to the beginning of each line: * #any host can get a login window *
CHOOSER BROADCAST #any indirect host can get a chooser 
4. Save your changes, and then close the file.


References: 

Caldera Systems, Inc. Security Advisory CSSA-1999-021.0, "kdm allows
connections from any host" at
http://www.calderasystems.com/support/security/advisories/CSSA-1999-021.0.txt

Standards associated with this entry: 

BID-1446: Caldera kdm XDMCP Access Control Vulnerability

CVE-2000-0374: The default configuration of kdm in Caldera Linux allows
XDMCP connections from any host, which allows remote attackers to obtain
sensitive information or bypass additional access restrictions.

Legal: 

Copyright 2002 ProCheckUp Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if, the Bulletin is not edited or changed in any way, is attributed
to ProCheckUp, and provided such reproduction and/or distribution is
performed for non-commercial purposes.

Any other use of this information is prohibited. ProCheckUp is not
liable for any misuse of this information by any third party.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC