lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040323.193955.2004162862.johan@giantfoo.org>
Date: Tue, 23 Mar 2004 19:39:55 -0600 (CST)
From: Johan A.van Zanten <johan@...anglers.com>
To: dave@...unitysec.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Immunity Advisory: dtlogin remote root



Dave Aitel <dave@...unitysec.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Technical Summary: A double-free weakness in the XDMCP parser of
> dtlogin (CDE) results in remote code execution against popular server
> operating systems, such as Solaris. Linux is not vulnerable, to
> Immunity's knowledge. This attack is performed over UDP port 177.
> 
> dtlogin is also the program that displays the login screen, so killing
> it blindly is not recommended.
> 
> The full advisory in pdf form is available at:
> http://www.immunitysec.com/downloads/dtlogin.sxw.pdf
> 
> This is one of the new vulnerabilities in the Shellcoder's Handbook.

 The PDF version of your advisory indicates that your upcoming (29 Mar
2004, according to those patent-happy people over at amazon.com) book
includes scripts that can be used to test for the vulnerability. Are you
going to provide any scripts or code fragments so that people can test
their systems?  As things stand, it looks a lot like you're trying to
generate book sales by releasing a content-light advisory 6 days before
your book comes out.

 Disabling XDMCP is very easy on Solaris [789] systems, by editing
/etc/dt/config/Xconfig.  "Dtlogin.requestPort" should be set to "0" like
so:

Dtlogin.requestPort:       0

 If /etc/dt/config/Xconfig does not exist, copy the stock default from
 /usr/dt/config/Xconfig to /etc/dt/config/Xconfig and edit it:

cp /usr/dt/config/Xconfig /etc/dt/config/Xconfig
vi /etc/dt/config/Xconfig

... and uncomment the line that reads "# Dtlogin.requestPort:       0"

 There's even a helpful comment, for those who care to look:

#  To disable listening for XDMCP requests from X-terminals.

  XDMCP is only necessary on machines who manage other X servers.  So a
stand-alone work station whose dtlogin does not manage any other X servers
can use the work around listed above.

 On machines that do need to use XDMCP, see the parameter
"Dtlogin.accessFile" (also in /etc/dt/config/Xconfig). It MAY help, but it
may not.

The dtlogin man page (/usr/dt/share/man/man1/dtlogin.1) says this about
it:


  accessFile
     To prevent unauthorized XDMCP service and to allow  forward-
     ing  of  XDMCP  IndirectQuery requests, this file contains a
     database of hostnames which are either allowed direct access
     to  this  machine,  or have a list of hosts to which queries
     should  be  forwarded  to.   The  format  of  this  file  is
     described  in  the  Xaccess  section.  If not set, all hosts
     will be allowed XDMCP service.


 Also make sure to read the section entitled "The Xaccess File."


 This workaround for machines who need to allow dtlogin to listen for
XDMCP may NOT protect against the vulnerability, but it's probably better
than nothing.

(Here's where having those unreleased scripts would greatly help in
 testing.)

 Headless servers that do not run X (do not have a frame buffer) or need
to manage any remote X servers should have dtlogin completely disabled.
This can be done like so:

/etc/init.d/dtlogin stop    # should kill dtlogin, but make sure with ps.
cd /etc/rc2.d
mkdir Disabled
mv S99dtlogin Disabled		# Prevents dtlogin from being started 
				# next boot.

 It's always a good idea to double check that S99dtlogin hasn't been
re-created after you install Solaris patches.



Johan van Zanten		   \ "And so once again we find that the evil
System Wrangler			    \  of the past seeps into the present,
Tumbleweed Electron Wranglers, Inc.  \  like salad dressing through
				      \  cheap waxed paper." - The Tick


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ