Re: Securax Advisory 11

[Donald King <donald () SAPPIOS COM>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 01 Jan 2001 08:50 am, incubus wrote:
  [Snip]
> Topic:          X-windows can be caused to freeze.
> Announced:      2000-12-26
> Affects:        XFree86 Version 3.3.6 / X Window System [on SuSE 6.4]
>                 Other versions not tested.
  [Snip]

Stock XFree86 4.0.1 appears not to be vulnerable.  Not so much as a hiccup,
in fact.  I'm running Slackware 7.0, but XFree was installed separately so
that shouldn't make a difference.

> Note: This  entire  advisory has been based upon trial and error results.
> We can not ensure the information below is 100% correct being that we have
> no  source  code  to audit.  This document is subject to change without
> prior notice.
  [Snip]

Um, what?  You've gone insane if you think XFree86 doesn't have public
source code.  No comprehensible public source code, granted... :-)

> I.  Problem Description
> -----------------------
>
> When a large amount of characters are send to the X-windows deamon (port
> 6000), X-windows  will become laggy  for a few  secondes, so if one would
> send a lot of characters to it, in a  continious loop, the server will
> freeze!, the only thing that works as far as I know to get X back to work
> is a reboot.
  [Snip]

Not so.  Did you even try the Ctrl-Alt-BkSp kill stroke?  If that fails,
you can usually log in remotely and try "killall -TERM X" to give X a
chance to shut down cleanly.  And if *that* fails, a "killall -KILL X"
followed by a "unset DISPLAY; X :0.0" should kill X rudely and reset the
video hardware (kill the second X with the kill stroke mentioned before).

And this is all assuming that the X server has truly crashed and that this
isn't just a DoS that will clear up as soon as the attacker stops.

> II. Impact
> ----------
  [Snip]

Numerous problems with your code:  gcc doesn't like the ISO-8859-1
non-breaking spaces you (or your mail client) used, the program crashes
unless you give it a hostname, it  connects to the wrong port due to endian
problems, and it throws away DNS information that it just looked up.
Here's a patch just to get it to run properly (after running "perl -p -e
'tr/\xA0/ /;' < linnuke.c > linnuke.c.new" or equivalent so it will
compile).

### Begin diff ###
- --- linnuke.c.old       Tue Jan  2 14:41:29 2001
+++ linnuke.c   Tue Jan  2 14:26:01 2001
@@ -57,8 +57,8 @@
    fprintf(stderr, "Socket() !\n");  exit(sock);
   }
   sin.sin_family = AF_INET;
- -  sin.sin_port = 6000;
- -  sin.sin_addr.s_addr = inet_addr(argv[1]);
+  sin.sin_port = htons(6000);
+  sin.sin_addr.s_addr = *(unsigned long*)hp->h_addr_list[0];

   conn = connect(sock, (struct sockaddr *)&sin, sizeof(sin));
  if (conn < 0)
### End diff ###


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6Uj+DU8Th8kkMpg4RAsYHAKCFCLh0q1tt7gGnbvaHRdES/nPtjQCfYEOR
4naSZsf63Gyx2LlKvIzoOB8=
=7/4z
-----END PGP SIGNATURE-----