Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Wed, 05 Mar 2008 09:42:59 +0100
From: Matthieu Herrb <matthieu.herrb@...s.fr>
To: oss-security@...ts.openwall.com
Subject: Re: request CVE id: insecure handling of DISPLAY in
 rxvt

Nico Golde wrote:
> Hi all,
> Steve, can I get a CVE id for the following issue in rxvt?
> 
> "If the DISPLAY environment is not set, rxvt opens an xterm 
> on :0, which on some headless login-server means anyone can setup 
> an fake X server waiting for someone loggin in without X 
> forwarding to start rxvt by some mistake or by some program (thus 
> without even noticing) and getting full shell access to that other 
> account."
> 
> This is Debian bug 469296[0].
> 
> It should be a good idea to check other terminal emulators 
> as well.
> 
> [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469296
> 

I don't understand how that's an issue with rxvt. If you "fix" the 
terminal emulator not to that, yo can still run rxvt -display :0 or env 
DISPLAY=:0 rxvt.

But then  I also don't understant what you mean by "setup an fake X 
server waiting for someone loggin in..."

Could you describe the attack scenario in  a bit more details?
-- 
Matthieu Herrb

[ CONTENT OF TYPE application/x-pkcs7-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux