Bug#251037: Strange xdmcp behavior, maybe a trojan horse?
Package: xserver-common
Version: 4.3.0.dfsg.1-1
I was unable to connect to a remote xdm, but only when it is outside a
broadcast domain. X crashes with a message:
Fatal server error:
XDMCP fatal error: Session failed Session XXXXXXXX failed for display
194-237-107-43.customer.telia.com:9: cannot open display.
I have nothing in common with this IP, so after further quick tcpdump,
I've discovered, that the negotiation is as follow:
MY.IP.MY.IP RE.MO.TE.IP XDMCP Query
RE.MO.TE.IP MY.IP.MY.IP XDMCP Willing
and here comes suspected packet:
MY.IP.MY.IP RE.MO.TE.IP XDMCP Request
with a connection field set to:
Version: 1
Opcode: Request (0x0007)
Message length: 121
Display number: 9
Connections (6)
Connection 1: 194.237.107.43
Connection 2: 193.42.228.75
Connection 3: 212.75.96.183
[...]
then a normal XDMCP Accept UDP packet.
The other side, of course, tries to connect to 194.237.107.43:6009/TCP,
and it, of course, fails.
Those six addresses are always the same, no matter which non-local
server I try to connect to.
I'm 99% sure this machine is not compromised, md5sum of /usr/bin/X11/X
is the same on every testing I'm able to check, and it's:
4f6c8f12266c7424a9125c259af41a39 /usr/X11R6/bin/X
I have a laptop with 4.3.0-7 version of xserver-common and it behaves as
expected.
Regards,
BO
Reply to: