From owner-freebsd-security  Thu Mar 28  6:58:26 2002
Delivered-To: freebsd-security@freebsd.org
Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6])
	by hub.freebsd.org (Postfix) with ESMTP id 72FD937B419
	for <security@freebsd.org>; Thu, 28 Mar 2002 06:58:21 -0800 (PST)
Received: from xi.css.qmw.ac.uk ([138.37.8.11])
	by zeta.qmw.ac.uk with esmtp (Exim 3.32 #1)
	id 16qbLu-0003mA-00; Thu, 28 Mar 2002 14:58:10 +0000
Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1)
	id 16qbLv-0004xx-00; Thu, 28 Mar 2002 14:58:11 +0000
X-Mailer: exmh version 2.0.2 2/24/98
To: Brett Glass <brett@lariat.org>
Cc: security@FreeBSD.ORG
Subject: Re: Is FreeBSD susceptible to this vulnerability? 
In-reply-to: Your message of "Thu, 28 Mar 2002 07:31:03 MST."
             <4.3.2.7.2.20020328072932.03228b20@nospam.lariat.org> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 28 Mar 2002 14:58:11 +0000
From: David Pick <d.m.pick@qmul.ac.uk>
Message-Id: <E16qbLv-0004xx-00@xi.css.qmw.ac.uk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


> Apparently, several UNIX-like operating systems can be penetrated via 
> XDMCP/UDP; see
> 
> http://www.procheckup.com/security_info/vuln_pr0208.html
> 
> Is FreeBSD vulnerable? What about the other BSDs?

(All the following is from reading the notice and having used
XDM myself in the past; not from reading the code...)

The notice says it's an "information leakage" vulnerability that
can leak information useful for otherwise unrelated brute-force
attacks.

It's also more a matter of the default configurations for the
XMDCP daemon rather than the code of the daemon.

The FreeBSD default configuratin *is* vulnerable but doesn't
gratuitously leak information (for example by providing lists
of valid users). So it's no more or less vulnerable than having
an open listening "telnet" service. Or an open "finger" service.
However, the notice is worthwhile because it points out that
such leakage can happen via services that use UDP as well as
services using TCP.

-- 
	David Pick


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message