T 5.161 Falsified responses to XDMCP broadcasts on terminal servers

The X-Window system frequently used in Unix systems is an application that can be used to display windows on the screen and to be able to read keyboard and screen input. Only in combination with a graphical user interface such as KDE or Gnome, are users able to operate Unix systems intuitively without entering any commands using the command line.

The X-Window system consists of an X-server and an X-client. The X-server receives signals from the input devices, e.g. mouse and keyboard, and outputs information to the output devices, e.g. screens. The X-client is the actual application processing the inputs and outputs of the X-server and forwarding these to the respective applications. The X-client communicates with the X-server, processes the signals, and executes the commands this way. The X-client and the X-server may be located on one IT system, but the two components may also communicate using a network connection. For this, the X-server is installed on the workstation PCs the input and output devices are connected to and the X-client is installed on a central terminal server. An IT system where only an X-server, but no X-clients or other applications are installed is called X-terminal.

X Display Manager

For user authentication, an X Display Manager (XDM) can be used that is also installed on the terminal server, just like the X-client. The XDM contains a graphical login screen that can normally be used to enter the user name and the password. In order to be able to authenticate to the X-client, the X-terminal establishes a data link to the XDM using the network.

X Display Manager Control Protocol (XDMCP)

The X-terminals and the XDM normally communicate using XDMCP (X Display Manager Control Protocol). In order to establish a connection, the X-terminals need to know the host name or IP address of the XDMs. For this, the following modes may be used:

• Direct
  
  In the Direct mode, the X-terminal is provided with the host name or the IP address of the XDM in its configuration. After having started the terminal or the terminal emulation, the client connects to the XDM and shows a login window.
• Indirect
  
  When using the Indirect mode, a connection is also established to a dedicated host. In a first step, the host provides a list of possible XDMs that can then be selected by the user using a menu of the so-called Chooser.
• Broadcast
  
  If the terminal provides the network with a Broadcast message, correspondingly configured XDMs signal their availability. As a consequence, the terminals connect to the host that responds first or allow the user to choose the server using the Chooser.

Users can use the "Broadcast" mode in order to log in to different XDMs without having to register on the X-terminals. Unlike in the "Direct" mode, if new XDMs are added or if existing XDMs are removed, the X-terminals must not be re-configured. If several Choosers are to be used or if the IP address of the Chooser's XDM is changed, the configuration of the X-terminal must not be changed in the "Broadcast" mode either.

If "Broadcast" is used, an attacker may install his/her own XDM responding to the queries of the X-terminal. If the user enters his/her user name and password into the login screen of the XDM, the attacker may obtain the login information this way and use this information for later attacks.

Depending on the knowledge of the attacker, he/she may provide the user with an environment on a terminal server controlled by the attacker just like the XDM. If the user does not recognise that he/she us using the terminal server of the attacker and accesses programs, resources, and backends during a session, additional confidential information may be spied out.