Re: Nasty XFree Xserver DoS

[bug () WESTON CX (Weston Pawlowski)]

I was going to check for this vulnerability in Mandrake 7.0,
but I'm failing to see where AuthCheckSitePolicy() is being
called from. The only occurance I can find in Mandrake's
XFree86 source is the function itself, but no calls to it.
The buggy code that was mentioned does exist, but is it ever
called??? Is the Mandrake version different than in other
distros? Or am I just not seeing something?

This probably isn't much of a potential problem for me
because I rarely use X on my firewall machine, but I'd still
like to find out exactly how hard it would be for someone to
use this against me.

-Weston


---

Hi,

Here's a very interesting DoS which I discovered against
XFree86-3.3.5. I've had confirmation it also affects 3.3.6
and 4.0 (with a
small difference, see below)

<Snip>

Well, the summary is that this is YET another example of
signed/unsigned
issues. By seeding a loop with a value of -1, we can cause
the X server to
perform 4 billion iterations of a loop.

Observe xc/programs/Xserver/os/secauth.c,
AuthCheckSitePolicy():

// dataP is user supplied data from the network
char        *policy = *dataP;
int         nPolicies;
...
// Oh dear, we can set nPolicies to -1
nPolicies = *policy++;
while (nPolicies) {
// Do some stuff in a loop
...
  nPolicies--;
}

So, the counter "nPolicies", if seeded with -1, will
decrement towards
about minus 2 billion, then wrap to become positive 2
billion, and head
towards its final destination of 0.

<Snip>