[FreeNX-kNX] nxclient and "challengeresponseauthentication no"

Kurt Pfeifle k1pfeifle at gmx.net
Fri Jan 27 17:30:16 UTC 2006


On Friday 27 January 2006 14:11, * * wrote:

> The nx user must be in the wheel group, so that he can
> change to the user account.  Of course, this permits all your clueful
> NX users to use su... because they own the nx login key.  In fact you
> must use an other-than-NoMachine-NX-public private key, or else
> everyone on the 'Net will be able to use su.

<sarcasm>
  Oh my god!!!! You have just discovered a glaring security
  hole in NX! The world can now use su to impersonate me on
  any NX server I've an account on!! And nobody discovered this
  vulnerability since more than 3 years! Stop shipping NX!
</sarcasm>
 
Honest, would you please give me a step by step HOWTO (because
I'm not such a clueful user you talked about), so that I am 
able to use su from user "nx" to acquire my boss' account
privileges? I have succeeded to do this:

1. I type: "nxssh -nx -i /usr/NX/share/client.id_dsa.key nx at my_bosses_box"

2. I get a response: "NX> 105"

3. I type: "su root", "su - root", "su - my_boss", "su my_boss", "su kurt"

But all I get is that the stupid thing keeps echo-ing what I type.

I've the feeling I must be *that* close to be a blackhat cracker.... Can 
you please help me understand what clever trick I am missing in my 3rd 
step? Puh-leeease?



More information about the FreeNX-kNX mailing list