1995-09-29 - Re: Netscape hole without .Xauthority (fwd)

Header Data

From: “Josh M. Osborne” <stripes@va.pubnix.com>
To: Jyri Kaljundi <jk@digit.ee>
Message Hash: c5ddc8a81c01188db2f904230a1a212c265d287ee539368a4564cb3543d45589
Message ID: <MAA03656.199509291639@garotte.va.pubnix.com>
Reply To: <Pine.3.89.9509291503.A1295-0100000@jamarillo>
UTC Datetime: 1995-09-29 16:42:39 UTC
Raw Date: Fri, 29 Sep 95 09:42:39 PDT

Raw message

From: "Josh M. Osborne" <stripes@va.pubnix.com>
Date: Fri, 29 Sep 95 09:42:39 PDT
To: Jyri Kaljundi <jk@digit.ee>
Subject: Re: Netscape hole without .Xauthority (fwd)
In-Reply-To: <Pine.3.89.9509291503.A1295-0100000@jamarillo>
Message-ID: <MAA03656.199509291639@garotte.va.pubnix.com>
MIME-Version: 1.0
Content-Type: text/plain


In message <Pine.3.89.9509291503.A1295-0100000@jamarillo>, Jyri Kaljundi writes
:
[...]
>There's a huge hole in the Netscape remote control mechanism for the
>X-Windows based clients.=20
>Potential impact : anybody can become any user that uses Netscape on any
>system without sufficient X security.
[...]
>PS: WHY do they bother with PGP and RSA security when they keep such holes =
>????

Well, I would susspect that because if your X server isn't "secure" there
isn't much you can do that is.

Other then xterm, most X programs will respond to "synthetic" events
(events gennerated by another programs as opposed to the user), this
means with a little work anyone with access to the X server could
click open the File menu, select "Open URL", type in a URL, press "Open",
click "SaveAs", and so on.

Even if all X clients stoped listening to synthetic events (which would
be a shame - since they are useful in various contexts) X's event
structure allows multiple X cleints to lissten for tthe same events on
the same windows, so a simple program could track all keystrokes and
capature your passwords.

Failing all of that any X client could track ownership of the X selection
(the "cut buffer" normally used to hold text), and when it looks like a
Unix command (implying that you will be pasting it into the command line)
assert ownership of the selection itself and put in "^X^U^H;rm -rf ~/*"
followed by a carrage return.

That's just off the top of my head ('tho I admit I have written two of
the three "exploits" while I was a sysadmin 4 years ago in an effort
to convinse my managers to mandate better security then "xhost +"...).

So saying "Netscape isn't secure when my X server isn't" is alot like
saying "When I leave the front door of my house unlocked my VCR isn't
safe!".
-- 
Not speaking for my employer, or anyone other then myself.





Thread