[FreeNX-kNX] nxclient and "challengeresponseauthentication no"
Kurt Pfeifle
k1pfeifle at gmx.net
Fri Jan 27 17:30:16 UTC 2006
On Friday 27 January 2006 14:11, * * wrote:
> The nx user must be in the wheel group, so that he can
> change to the user account. Of course, this permits all your clueful
> NX users to use su... because they own the nx login key. In fact you
> must use an other-than-NoMachine-NX-public private key, or else
> everyone on the 'Net will be able to use su.
<sarcasm>
Oh my god!!!! You have just discovered a glaring security
hole in NX! The world can now use su to impersonate me on
any NX server I've an account on!! And nobody discovered this
vulnerability since more than 3 years! Stop shipping NX!
</sarcasm>
Honest, would you please give me a step by step HOWTO (because
I'm not such a clueful user you talked about), so that I am
able to use su from user "nx" to acquire my boss' account
privileges? I have succeeded to do this:
1. I type: "nxssh -nx -i /usr/NX/share/client.id_dsa.key nx at my_bosses_box"
2. I get a response: "NX> 105"
3. I type: "su root", "su - root", "su - my_boss", "su my_boss", "su kurt"
But all I get is that the stupid thing keeps echo-ing what I type.
I've the feeling I must be *that* close to be a blackhat cracker.... Can
you please help me understand what clever trick I am missing in my 3rd
step? Puh-leeease?
More information about the FreeNX-kNX
mailing list