From: Jochen Bauer [jtb@THEO2.PHYSIK.UNI-STUTTGART.DE]
Sent: Wednesday, August 18, 1999 6:26 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: XDM Insecurity revisited

On Wed, 26 Nov 1997 Eric Augustus (augustus@stic.net) posted a message
on BUGTRAQ about the fact, that the default Xaccess file allows XDMCP
connections from any host. As you know, this can be used to get a
login screen on any host and therefore get around access control
mechanisms like tcpwrapper and root login restriction to the console.

However, this warning seemed to have little effect as (at least)
Digital Unix 4.0E, SuSE Linux 6.1 and Red Hat Linux 6.0 are still
(1.5 years later) shipped with this default Xaccess file. It is somehow
ironic that e.g. SuSE now uses tcpwrappers by default on most TCP
services in it's distribution and describes the use of tcpwrappers in
the manual in a special chapter about security, but fails to close (or
even mention) that way to circumvent login restrictions.

By the way,
If you think that using the cryptographically secured remote management
channels with access limited to authorized hosts on your AltaVista
Firewall under Digital Unix is the only way of doing remote
administration of the firewall, then you should take a close look at
your Xaccess file ;-)

--

Jochen Bauer

************************************************************
*Network Security Team                                     *
*Computer Center of the University of Stuttgart            *
*Germany                                                   *
*                                                          *
*Email: jtb@theo2.physik.uni-stuttgart.de                  *
*       jochen.bauer@rus.uni-stuttgart.de                  *
*                                                          *
*PGP Public Key:                                           *
*     http://www.theo2.physik.uni-stuttgart.de/jtb.html    *
************************************************************