Package: slim
Version: 1.3.0-2
Severity: grave
Tags: security
Hi,
>From app.cpp:
1134 void App::CreateServerAuth() {
1135 /* create mit cookie */
1136 int i, r;
1137 int hexcount = 0;
1138 string authfile;
1139 string cmd;
1140 char *digits = "0123456789abcdef";
1141 srand( time(NULL) );
1142 for ( i = 0; i < 31; i++ ) {
1143 r = rand()%16;
1144 mcookie[i] = digits[r];
1145 if (r>9)
1146 hexcount++;
1147 }
1148 /* MIT-COOKIE: even occurrences of digits and hex digits */
1149 if ((hexcount%2) == 0) {
1150 r = rand()%10;
1151 } else {
1152 r = rand()%5+10;
1153 }
1154 mcookie[31] = digits[r];
1155 /* reinitialize auth file */
1156 authfile = cfg->getOption("authfile");
1157 remove(authfile.c_str());
1158 putenv(StrConcat("XAUTHORITY=", authfile.c_str()));
1159 cmd = cfg->getOption("xauth_path") + " -q -f " + authfile + " add :0 .
" + mcookie;
1160 system(cmd.c_str());
1161 }
This function is used to create the x authority file in /var/run which is
then copied into the users home directory on login. However this function
somehow defeats the
purpose of xauth as the file itself is generated by executing xauth via system
and includes
mcookie (the secret hex string) in the command line. So as an attacker I can
watch the process
list, grab the mcookie string and generate my own x auth cookie to have fun
with the victims
X session. The same problem exists in switchuser.cpp.
The easy fix would be to read this from stdin, xauth supports this. As small
remark...
I think using the time as a source for random data is also suboptimal in this
case.
Cheers
Nico
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
