From owner-freebsd-security Thu Mar 28 7:12:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id BA2B737B41F for ; Thu, 28 Mar 2002 07:12:31 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA23540; Thu, 28 Mar 2002 07:11:22 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda23536; Thu Mar 28 07:11:08 2002 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id g2SFB3L53194; Thu, 28 Mar 2002 07:11:03 -0800 (PST) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdX53187; Thu Mar 28 07:10:04 2002 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id g2SFA4m66570; Thu, 28 Mar 2002 07:10:04 -0800 (PST) Message-Id: <200203281510.g2SFA4m66570@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdj66555; Thu Mar 28 07:09:13 2002 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - CITS Open Systems Group From: Cy Schubert - CITS Open Systems Group X-Sender: schubert To: David Pick Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Is FreeBSD susceptible to this vulnerability? In-Reply-To: Message from David Pick of "Thu, 28 Mar 2002 14:58:11 GMT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 28 Mar 2002 07:09:13 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message , David Pick writes: > > > Apparently, several UNIX-like operating systems can be penetrated via > > XDMCP/UDP; see > > > > http://www.procheckup.com/security_info/vuln_pr0208.html > > > > Is FreeBSD vulnerable? What about the other BSDs? > > (All the following is from reading the notice and having used > XDM myself in the past; not from reading the code...) > > The notice says it's an "information leakage" vulnerability that > can leak information useful for otherwise unrelated brute-force > attacks. > > It's also more a matter of the default configurations for the > XMDCP daemon rather than the code of the daemon. > > The FreeBSD default configuratin *is* vulnerable but doesn't > gratuitously leak information (for example by providing lists > of valid users). So it's no more or less vulnerable than having > an open listening "telnet" service. Or an open "finger" service. > However, the notice is worthwhile because it points out that > such leakage can happen via services that use UDP as well as > services using TCP. The default FreeBSD configuration, at least in the XFree86-4 port, ships with the following lines in Xaccess: ... #* #any host can get a login window ... #* CHOOSER BROADCAST #any indirect host can get a chooser .. This doesn't appear open to me (notice the lines have been commented out). Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, CITS Ministry of Management Services Province of BC FreeBSD UNIX: cy@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message