[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Wed, 5 Mar 2008 10:19:09 +0100
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: request CVE id: insecure handling of DISPLAY in
rxvt
On Tue, 4 Mar 2008 22:34:10 +0000 Steve Kemp <steve@...ve.org.uk> wrote:
> The idea is that if you typically connect to a host with display
> forwarding you'll be used to running rxvt and having the resulting
> application display locally.
>
> However if you forget to enable display forwarding then run
> RXVT it will connect to :1, rather than complain there is no
> DISPLAY set and abort. That *could* allow a malicious local
> server to steal keyboard, & etc.
>
> However I have a hard time seeing this in practise. It would
> mean that locally you couldn't trust root - since it would take
> a local root user to setup the fake X11 server on :1..
I don't think you need root privileges to take advantage of this...
Let's assume shared box where users ssh -X and run some X programs,
e.g. rxvt. Let's assume unprivileged user can start local X session
which will be DISPLAY=:0 and do xhost + to allow connections from other
users to her display (maybe Xvnc can be used instead of local X session
too). Now she just have to wait for some other user to ssh without X
forwarding and start rxvt on her display.
Yes, many assumptions and ifs, but still silently assuming DISPLAY=:0
when no DISPLAY is set does not sound like a safe default.
Just my 2c.
--
Tomas Hoger
Red Hat Security Response Team
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux