[MLUG] FW: [unisog] Windows machines being compromised through X software

Email address obfuscation in effect -- please click here to turn it off.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: "MLUG Members" <EMAIL:PROTECTED>
Subject: [MLUG] FW: [unisog] Windows machines being compromised through X software
From: "Spurling, Shannon" <EMAIL:PROTECTED>
Date: Wed, 6 Oct 2004 09:23:42 -0500
Reply-to: MLUG Members <EMAIL:PROTECTED>
Sender: EMAIL:PROTECTED
Thread-index: AcSrH6/li+WBKEioRDO1zEXJvo9FKQAjWWXAAACwGAA=
Thread-topic: [unisog] Windows machines being compromised through X software


> -----Original Message-----
> From: EMAIL:PROTECTED 
> [mailto:EMAIL:PROTECTED] On Behalf Of Karen A Swanberg
> Sent: Tuesday, October 05, 2004 4:03 PM
> To: EMAIL:PROTECTED
> Subject: [unisog] Windows machines being compromised through 
> X software
> 
> 
> It has come to our attention that some University IP space 
> has recently been scanned for TCP port 6000, used to serve up 
> X-sessions. We have reason to believe that many WINDOWS 
> computers running various X software (Xwin32, eXceed, and 
> others) are being compromised by having the equivalent of 
> "xhost +" set.
> 
> Nature of the Problem:
> http://www.kb.cert.org/vuls/id/704969
> 
> With X software configured like this, anyone anywhere in the 
> world can do anything they like to the display.  This 
> includes taking a snapshot of the screen or grabbing all 
> keystrokes on the keyboard.
> 
> X, when run with access permissions disabled (e.g., in "xhost 
> +" mode) will happily provide access to Xevent queues to 
> anyone who requests it.
> Since X events include keystrokes, window resizing and 
> (re)drawing, mouse movements, etc. (pretty much any user 
> interaction that comes to mind), it's *TRIVIAL* to do things 
> like take screen snapshots, move or resize windows, grab 
> keystrokes, etc. We have positive evidence from other 
> Universities that keystrokes *are* being captured.
> 
> eXceed and Xwin-32's default permissions are wide open, and 
> others are fairly easy to configure that way. As the world of 
> Windows is somewhat different from Unix with respect to X, it 
> is highly likely that many users don't realize the danger an 
> open X server poses.
> 
> What we've found works well is using PuTTY with X11 
> Forwarding enabled to connect to the remote system and then 
> firing up X-Win32 in a local-only mode (only accepting X 
> connections from the localhost).
> 
> Purdue's page on tunneling X over SSH:
> https://engineering.purdue.edu/ECN/Resources/KnowledgeBase/Doc
> s/20030911153510
> 
> UIC's pages on tunneling X over SSH with Exceed:
> http://www.uic.edu/depts/accc/software/exceed/sshexceed.html
> http://www.uic.edu/depts/accc/software/exceed/exceed.html
> 
> Some hints on how to find open Xservers in your address space 
> nmap -sS -p6000 -oG output X.X.X.X/YY The Nessus plugin that 
> can scan for this vulnerability is 10407 (X.nasl)
> 
> Other relevant links:
> http://www-2.cs.cmu.edu/~help/security/xserver_security.html
> 
> 
> -                                                    -
> Karen Swanberg | OIT Security and Assurance | U. of Mn
> -          EMAIL:PROTECTED | 612-625-8807           -
> 
> _______________________________________________
> unisog mailing list
> EMAIL:PROTECTED
> http://www.dshield.org/mailman/listinfo/unisog
> 

_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members

Follow-Ups:
- Re: [MLUG] FW: [unisog] Windows machines being compromised throughX software
  - From: Michael <EMAIL:PROTECTED>

Prev by Date: Re: [MLUG] telnet/ssh/etc...
Next by Date: Re: [MLUG] FW: [unisog] Windows machines being compromised throughX software
Previous by thread: Re: [MLUG] telnet/ssh/etc...
Next by thread: Re: [MLUG] FW: [unisog] Windows machines being compromised throughX software
Index(es):
- Date
- Thread