Bugtraq mailing list archives
Re: Securax Advisory 11
From: Donald King <donald () SAPPIOS COM>
Date: Tue, 2 Jan 2001 14:52:19 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 01 Jan 2001 08:50 am, incubus wrote: [Snip]
Topic: X-windows can be caused to freeze. Announced: 2000-12-26 Affects: XFree86 Version 3.3.6 / X Window System [on SuSE 6.4] Other versions not tested.
[Snip] Stock XFree86 4.0.1 appears not to be vulnerable. Not so much as a hiccup, in fact. I'm running Slackware 7.0, but XFree was installed separately so that shouldn't make a difference.
Note: This entire advisory has been based upon trial and error results. We can not ensure the information below is 100% correct being that we have no source code to audit. This document is subject to change without prior notice.
[Snip] Um, what? You've gone insane if you think XFree86 doesn't have public source code. No comprehensible public source code, granted... :-)
I. Problem Description ----------------------- When a large amount of characters are send to the X-windows deamon (port 6000), X-windows will become laggy for a few secondes, so if one would send a lot of characters to it, in a continious loop, the server will freeze!, the only thing that works as far as I know to get X back to work is a reboot.
[Snip] Not so. Did you even try the Ctrl-Alt-BkSp kill stroke? If that fails, you can usually log in remotely and try "killall -TERM X" to give X a chance to shut down cleanly. And if *that* fails, a "killall -KILL X" followed by a "unset DISPLAY; X :0.0" should kill X rudely and reset the video hardware (kill the second X with the kill stroke mentioned before). And this is all assuming that the X server has truly crashed and that this isn't just a DoS that will clear up as soon as the attacker stops.
II. Impact ----------
[Snip] Numerous problems with your code: gcc doesn't like the ISO-8859-1 non-breaking spaces you (or your mail client) used, the program crashes unless you give it a hostname, it connects to the wrong port due to endian problems, and it throws away DNS information that it just looked up. Here's a patch just to get it to run properly (after running "perl -p -e 'tr/\xA0/ /;' < linnuke.c > linnuke.c.new" or equivalent so it will compile). ### Begin diff ### - --- linnuke.c.old Tue Jan 2 14:41:29 2001 +++ linnuke.c Tue Jan 2 14:26:01 2001 @@ -57,8 +57,8 @@ fprintf(stderr, "Socket() !\n"); exit(sock); } sin.sin_family = AF_INET; - - sin.sin_port = 6000; - - sin.sin_addr.s_addr = inet_addr(argv[1]); + sin.sin_port = htons(6000); + sin.sin_addr.s_addr = *(unsigned long*)hp->h_addr_list[0]; conn = connect(sock, (struct sockaddr *)&sin, sizeof(sin)); if (conn < 0) ### End diff ### -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6Uj+DU8Th8kkMpg4RAsYHAKCFCLh0q1tt7gGnbvaHRdES/nPtjQCfYEOR 4naSZsf63Gyx2LlKvIzoOB8= =7/4z -----END PGP SIGNATURE-----
Current thread:
- Securax Advisory 11 incubus (Jan 02)
- Re: Securax Advisory 11 Donald King (Jan 02)
- Re: Securax Advisory 11 Michal Zalewski (Jan 02)
- Re: Securax Advisory 11 Michal Zalewski (Jan 02)