Re: Remote Root In Nvidia xserver Driver

["Sam Morris" <sam@robots.org.uk>]

On Wed, 18 Oct 2006 11:48:18 +0100, Dominic Hargreaves wrote:

> On Wed, Oct 18, 2006 at 10:42:05AM +0000, Sam Morris wrote:
>> On Tue, 17 Oct 2006 21:53:49 -0400, Noah Meyerhans wrote:
>> > However, as I read it,
>> > it sounds like you can only run arbitrary code if you are actually
>> > accessing the X server directly via a client.  While this client can be
>> > local or remote, nobody is going to allow unauthenticated remote clients
>> > to access their X server, so this might not be so bad...
>> 
>> I disagree. SSHing to a compromised host should not open the client
>> machine up to security vulnerabilities of this kind.
> 
> Huh?
> 
> sshing to a compromised machine with X forwarding enabled is already a
> big enough problem without adding root exploits.
> 
> Don't ssh with X forwarding to an untrusted machine. Ever.

The point is that I may trust the machine, it may have been compromised
without me finding out. I should not have to send the hackers who did it
an email saying "ok fellas, you got me, here are all my root passwords".

> X is not a
> secure protocol and with access to your X server a program can wreak
> havoc on anything you do on that X server including capturing passwords
> and other sensitive data. It's not an issue specific to this
> vulnerability.

Isn't the X11 security extension designed to help with these issues? But
anyway, you can't deny that this vulnerability increases a users' attack
surface significantly. Especially since someone else pointed out that a
Flash movie or Java applet could exploit the vulnerability (i.e., you
don't need to use X11 forwarding to make the vulnerability into a remote
one).

> Dominic.

-- 
Sam Morris
http://robots.org.uk/

PGP key id 1024D/5EA01078
3412 EA18 1277 354B 991B  C869 B219 7FDB 5EA0 1078