1995-10-04 - Re: Netscape hole without .Xauthority (fwd)

Header Data

From: Christian Wettergren <cwe@it.kth.se>
To: Jamie Zawinski <jwz@netscape.com>
Message Hash: 68bb77d0873d75ddec8362672a61425916a7d48677a2fe96c6cf593ad98bb26b
Message ID: <199510041102.MAA17689@piraya.electrum.kth.se>
Reply To: <306C804A.3CE1CFB@netscape.com>
UTC Datetime: 1995-10-04 11:06:47 UTC
Raw Date: Wed, 4 Oct 95 04:06:47 PDT

Raw message

From: Christian Wettergren <cwe@it.kth.se>
Date: Wed, 4 Oct 95 04:06:47 PDT
To: Jamie Zawinski <jwz@netscape.com>
Subject: Re: Netscape hole without .Xauthority (fwd)
In-Reply-To: <306C804A.3CE1CFB@netscape.com>
Message-ID: <199510041102.MAA17689@piraya.electrum.kth.se>
MIME-Version: 1.0
Content-Type: text/plain



| Jyri Kaljundi wrote:
| > 
| > There's a huge hole in the Netscape remote control mechanism for the
| > X-Windows based clients.
| > Potential impact : anybody can become any user that uses Netscape on any
| > system without sufficient X security.
| 
| Did you bother to read the spec?  This doesn't matter; if I can
| connect to your X server at all, you have already lost.  The spec
| (at http://home.netscape.com/newsref/std/x-remote.html) contains:

[snip]

This is all true, in a way.

But there is a growing number of applications that contains this kind
of remote execution capabilities, and whose security is dependant on
Xauth. I believe that X is soon becoming the weakest link in the
security chain.

I guess we don't have to discuss the quality of the 'magic cookie'
RNG's, do we? Not to mention the fact that the cookie is in effect
a password that is perfectly snoopable.

How common is DES-based Xauth-schemes? They are not used very
much, as far as I know. And if theyare, as in XDM, then again, what
about the RNG?

I guess this is just the distinction of breaking the glass window
in the back of the house, or to pick up the front door key from 
beneath the "Welcome" door mat, but anyway.

-Christian





Thread