Vulnerability Note VU#911505

pam_xauth may insecurely forward "X MIT-Magic-Cookies" to new sessions

Original Release date: 04 May 2003 | Last revised: 17 Jun 2003

Overview

A vulnerability exists in pam_xauth that may allow a local attacker to gain access to an administrator's X session.

Description

pam_xauth is used to forward xauth keys (or cookies) between users. From the pam_xauth man page:

    Without pam_xauth, when xauth is enabled and a user uses the su command to
    assume superuser priviledges, that user is not able to run X commands as
    root without somehow giving root access to the xauth key used for the
    current X session. pam_xauth solves the problem by forwarding the key from
    the user running su (the source user) to the user whose identity the source
    user is assuming (the target user) when the session is created, and
    destroying the key when the session is torn down.

If a local attacker can cause the system administrator to su to the attacker's account, the attacker may be able to gain access to an administrator's X session. For further technical details, please see Andreas Beck's advisory.

Impact

A local attacker may be able to gain access to an administrator's X session.

Solution

Apply a patch from your vendor.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
MandrakeSoftAffected04 May 200305 May 2003
Openwall GNU/*/LinuxAffected04 May 200307 May 2003
Red Hat Inc.Affected-07 May 2003
Apple Computer Inc.Not Affected04 May 200307 May 2003
DebianNot Affected04 May 200305 May 2003
Foundry Networks Inc.Not Affected04 May 200307 May 2003
FujitsuNot Affected04 May 200317 Jun 2003
HitachiNot Affected04 May 200307 May 2003
IBMNot Affected04 May 200307 May 2003
Ingrian NetworksNot Affected04 May 200307 May 2003
NetScreenNot Affected04 May 200307 May 2003
Xerox CorporationNot Affected04 May 200330 May 2003
3ComUnknown04 May 200305 May 2003
AlcatelUnknown04 May 200305 May 2003
AT&TUnknown04 May 200305 May 2003
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was discovered by Andreas Beck.

This document was written by Ian A Finlay.

Other Information

  • CVE IDs: CAN-2002-1160
  • Date Public: 03 Feb 2003
  • Date First Published: 04 May 2003
  • Date Last Updated: 17 Jun 2003
  • Severity Metric: 12.94
  • Document Revision: 11

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.