[X2Go-Dev] Bug#354: Things you should know about X (was: Re: Bug#354: Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf)

Nable 80 nable.maininbox at googlemail.com
Sun Dec 8 21:05:21 CET 2013 

Thanks a lot for this interesting discussion.

Although I should comment this thing from the linked article: it
begins with the following words:
> log into the victim's desktop, become root
It's too obvious that with root one can do almost anything, not only
grab X sessions.
So, you article is not a proof of X11 insecurity (after all, we know
that it's not secure, but example is not good), just a howto for root
usage.
One should notice that without root ( who would give root access to
generic employee? except (possibly) on his workstation) you still
cannot access other users' cookies (except cases when one have too
wide permissions or known vulnerabilitites with privelege escalation),
so you cannot grab their X sessions, can you?

2013/12/8, Stefan Baur <newsgroups.mail2 at stefanbaur.de>:
> Am 08.12.2013 16:13, schrieb Nick Ingegneri:
>> I think that because I used "xhost +" in my original debugging example,
>> the assumption was immediately made that "xhost +" was my primary
>> concern. My primary concern is that disabling TCP breaks almost every
>> possible use model except for one narrow case (ssh). Among other things,
>> it breaks the MIT-MAGIC-COOKIE-1 mechanism. While there are very valid
>> concerns regarding use of TCP on the internet, we have a different
>> hierarchy of concerns regarding what happens on our internal network.
>
> [long blahblah snipped]
>
> If you believe Xauth Cookies alone will protect you from nastiness,
> think again:
> http://www.hackinglinuxexposed.com/articles/20040608.html - "Abusing X11
> for fun and passwords."
>
> All the nastiness shown in that write-up works *with* .Xauthority in place.
> And this was published in 2004, so every script kiddie, every
> pimple-faced youth among your trainees, every disgruntled employee knows
> about this. (And so does the NSA.)
>
> Seriously, I've been in the IT Security business for quite a few years
> *ahem ahem* - and the real enemy usually isn't some obscure Chinese
> hacker, it's an employee, either a lazy and careless one or a malicious
> one that has been turned over by a competitor. So do not trust anyone
> and anything on your network. Encrypt even your internal traffic.
> I've even seen reports of power plugs with surge protectors containing
> Network sniffers. So the spying device has unlimited power supply and
> sits right in your network, logging all your traffic and sending it out
> either via innocuous http requests or via a seperate WiFi network.
>
> And please, do not fool yourself into thinking "but we don't have
> anything to hide". Yes, you have. We all have. Unless you see "1984" as
> an instruction manual.
>
> -Stefan
> _______________________________________________
> X2Go-Dev mailing list
> X2Go-Dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/x2go-dev
>

More information about the x2go-dev mailing list