IRIX stupid xhost + default

Summary
Description:For X sessions, IRIX (I think up to 6.3) by default gives global access (ie xhost +). Duh. Of course this fits in very well with their default non-passworded guest account and their security-filled default crontab (see those other exploit entries for more information).
Author:Well known, but Matt Harrigan <matth@CONNECTNET.COM> posted interesting comments on exploiting the hole to someone who mentioned the problem.
Compromise:Take over an X session
Vulnerable Systems:IRIX, up to 6.3 I believe, using default IRIX default X access permissions.
Date:19 May 1997
Details


Date: Mon, 19 May 1997 10:19:07 -0700
From: Matt Harrigan <matth@CONNECTNET.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Reminder for irix ppl/xevents

> The following has been used, abused, and exploited like mad, however a
> little reminder may not hurt.  In the default setup for irix boxes, xhost
> is set to global access whenever someone logs in on console (or invokes
> xdm).  There may be some good reason for this default behavior, however
> it's often a nuissance in situations where one is around a lot of immature
> ppl just waiting to xdisplay '/usr/bin/X11/endsession -f' to your console.

On a far more unhappy note, ending your session is probably the nicest
thing they could do. If someone has access to your X display, they
also have control of the resource database for your session, which
contains all of the attributes assigned to that session. One of these
attributes (AllowSendEvents), controls the receiving of events from
a process foreign to the current event in question. I.E., when a window
is created, it reads information from RESOURCE_MANAGER and
SCREEN_RESOURCES via xrdb, which contains these attributes (like
AllowSendEvents). Unfortunately, when someone has r/w access to your
display, they have r/w access to the database, and therefore, all
of your attributes. All one needs to do at this point is
manually utilize xrdb retrieve a copy of the database, modify
AllowSendEvents: true, reupload the database, and wait for
a user to launch another xterm (so the new attributes can take
effect). It is then trivial to write an xevent interjection tool,
to send "xterm -display IAMAMEANMANONAMEANHOST:0.0" to the window
based on window id, which can also be easily retrieved from the server.
Obviously, the command will be executed as whatever user the session
belongs to, and im sure quite a few of us log onto the console as root.





Matt Harrigan
CIO, Microcosm Computer Resources
matth@mcr.com
415-333-1062

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault