[18404] in bugtraq
Re: Securax Advisory 11
daemon@ATHENA.MIT.EDU (Donald King)
Tue Jan 2 19:56:13 2001
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <01010214521903.04102@chronos>
Date: Tue, 2 Jan 2001 14:52:19 -0600
Reply-To: Donald King <donald@SAPPIOS.COM>
From: Donald King <donald@SAPPIOS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <000b01c07402$34119ce0$8656e0d5@pandora.be>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 01 Jan 2001 08:50 am, incubus wrote:
[Snip]
> Topic: X-windows can be caused to freeze.
> Announced: 2000-12-26
> Affects: XFree86 Version 3.3.6 / X Window System [on SuSE 6.4]
> Other versions not tested.
[Snip]
Stock XFree86 4.0.1 appears not to be vulnerable. Not so much as a hiccup,
in fact. I'm running Slackware 7.0, but XFree was installed separately so
that shouldn't make a difference.
> Note: This entire advisory has been based upon trial and error results.
> We can not ensure the information below is 100% correct being that we have
> no source code to audit. This document is subject to change without
> prior notice.
>
[Snip]
Um, what? You've gone insane if you think XFree86 doesn't have public
source code. No comprehensible public source code, granted... :-)
> I. Problem Description
> -----------------------
>
> When a large amount of characters are send to the X-windows deamon (port
> 6000), X-windows will become laggy for a few secondes, so if one would
> send a lot of characters to it, in a continious loop, the server will
> freeze!, the only thing that works as far as I know to get X back to work
> is a reboot.
>
[Snip]
Not so. Did you even try the Ctrl-Alt-BkSp kill stroke? If that fails,
you can usually log in remotely and try "killall -TERM X" to give X a
chance to shut down cleanly. And if *that* fails, a "killall -KILL X"
followed by a "unset DISPLAY; X :0.0" should kill X rudely and reset the
video hardware (kill the second X with the kill stroke mentioned before).
And this is all assuming that the X server has truly crashed and that this
isn't just a DoS that will clear up as soon as the attacker stops.
> II. Impact
> ----------
>
[Snip]
Numerous problems with your code: gcc doesn't like the ISO-8859-1
non-breaking spaces you (or your mail client) used, the program crashes
unless you give it a hostname, it connects to the wrong port due to endian
problems, and it throws away DNS information that it just looked up.
Here's a patch just to get it to run properly (after running "perl -p -e
'tr/\xA0/ /;' < linnuke.c > linnuke.c.new" or equivalent so it will
compile).
### Begin diff ###
- --- linnuke.c.old Tue Jan 2 14:41:29 2001
+++ linnuke.c Tue Jan 2 14:26:01 2001
@@ -57,8 +57,8 @@
fprintf(stderr, "Socket() !\n"); exit(sock);
}
sin.sin_family = AF_INET;
- - sin.sin_port = 6000;
- - sin.sin_addr.s_addr = inet_addr(argv[1]);
+ sin.sin_port = htons(6000);
+ sin.sin_addr.s_addr = *(unsigned long*)hp->h_addr_list[0];
conn = connect(sock, (struct sockaddr *)&sin, sizeof(sin));
if (conn < 0)
### End diff ###
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6Uj+DU8Th8kkMpg4RAsYHAKCFCLh0q1tt7gGnbvaHRdES/nPtjQCfYEOR
4naSZsf63Gyx2LlKvIzoOB8=
=7/4z
-----END PGP SIGNATURE-----
