Brief description: Attackers can guess the authentication key to access another user's X window session.
Full description: X Windows authenticates clients either by the host they come from (the "xhost mechanism") or by their supplying a hash ("cookie") that is known only to the X windows server and the clients running locally (or remotely that have been told about the cookie). If another process on a remote machine can guess the cookie, or read the file on the server containing the cookie, it obtains full access and can read the screen or run its own programs on the server. If the X window system session manager xdm is compiled to use the protocol MIT-MAGIC-COOKIE-1 but not the protocol XDM-AUTHORIZATION-1, the cookies are cryptographically weak and can be predicted.
Components: X11 R6.0 patchlevel 12 and below; XFree86 version 3.1.1 and below; X11 R6.0 patchlevel 13 and X11 R6.1 and above are known to be not vulnerable.
Systems: any running X11
Effect(s) of exploiting: The attacker gets full user access to the X windows session.
Detecting the hole:
Fixing the hole:
Other information:
httpd
PA Classification(s):
RISOS Classification(s):
DCS Classification(s):
CVE Number: CAN-1999-0241 -- Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm.
Attack:
Advisories: ISS X-Force database entry http-xguess-cookie ; CIAC Information Bulletin G-04, X Authentication Vulnerability and CERT Vendor-Initiated Bulletin VB-95:08, X Authentication Vulnerability both cite a bulletin from the X Consortium.
Related Vulnerabilities:
Reporting: Chris Hall, University of Colorado in X Consortium bulletin (Oct. 1995 )