Bugtraq mailing list archives
Re: Nasty XFree Xserver DoS
From: bug () WESTON CX (Weston Pawlowski)
Date: Tue, 23 May 2000 04:37:40 -0000
I was going to check for this vulnerability in Mandrake 7.0, but I'm failing to see where AuthCheckSitePolicy() is being called from. The only occurance I can find in Mandrake's XFree86 source is the function itself, but no calls to it. The buggy code that was mentioned does exist, but is it ever called??? Is the Mandrake version different than in other distros? Or am I just not seeing something? This probably isn't much of a potential problem for me because I rarely use X on my firewall machine, but I'd still like to find out exactly how hard it would be for someone to use this against me. -Weston --- Hi, Here's a very interesting DoS which I discovered against XFree86-3.3.5. I've had confirmation it also affects 3.3.6 and 4.0 (with a small difference, see below) <Snip> Well, the summary is that this is YET another example of signed/unsigned issues. By seeding a loop with a value of -1, we can cause the X server to perform 4 billion iterations of a loop. Observe xc/programs/Xserver/os/secauth.c, AuthCheckSitePolicy(): // dataP is user supplied data from the network char *policy = *dataP; int nPolicies; ... // Oh dear, we can set nPolicies to -1 nPolicies = *policy++; while (nPolicies) { // Do some stuff in a loop ... nPolicies--; } So, the counter "nPolicies", if seeded with -1, will decrement towards about minus 2 billion, then wrap to become positive 2 billion, and head towards its final destination of 0. <Snip>
Current thread:
- Re: Fwd: [nohack] Yet another way to disguise files. Dan Harkless (May 17)
- Re: Fwd: [nohack] Yet another way to disguise files. Larry Olin Horn (May 18)
- Nasty XFree Xserver DoS Chris Evans (May 18)
- MetaProducts Offline Explorer Directory Traversal Vulnerability Servio Medina (May 22)
- Vulnerability in infosrch.cgi SGI Security Coordinator (May 22)
- Re: Nasty XFree Xserver DoS Weston Pawlowski (May 22)
- <Possible follow-ups>
- Re: Fwd: [nohack] Yet another way to disguise files. Dan Harkless (May 18)
- [RHSA-2000:028-02] Netscape 4.73 available bugzilla () REDHAT COM (May 19)
- Black Watch Labs Vulnerability Alert Black Watch Labs (May 19)
- Black Watch Labs Vulnerability Alert Black Watch Labs (May 19)
- Re: Fwd: [nohack] Yet another way to disguise files. mock () ACTIVESTATE COM (May 19)