[NCLUG] ipchains and firewalls

John L. Bass jbass at dmsd.com
Thu Jan 24 22:46:31 MST 2002


	>What you probably get for free is the ability for outside parties to send X events
	>to the Xserver machine claiming to be from 130.20.118.155 - while this takes a
	>small amount of creativity, it does yeild keyboard access to shell windows.
	>The attacker then has the ability to launch arbitrary command lines on your behalf.
	>This is an old attack, I'm not sure anything has changed to help close it.

	I always wondered about that.  I guess the only thing I can do is open
	the hole only when needed. 

You should be aware that opens not only the Xserver system (presumably your home desk top) to
attack, but every machine that has a client that can be manipulated that is currently displaying
on the X server (presumably one or machines behind a firewall), especially shell windows. Depending
on the window manager, a script can toggle thru every open window and send it a series of commands
designed to compromise common clients, with a good probablity of getting connectivity back to a
control site on nearly every machine with clients on remote server (desktop).

I've been down that road, using an cryptokey in a mail message intercepted by a .forward invoked
script to startup a custom xterm on my home desktops server on demand due to corp firewall restrictions
on remote access (with my managers written approval, but clearly against IT rules).   I suspect that
if SSH isn't allowed, you are probably looking at termination grounds for violating the spirt of that
rule, without managers written approval. Serious CYA time, if somebody got pissed you would be
liable for Felony charges.

John



More information about the NCLUG mailing list