mailing list archives
Re: Securax Advisory 11
From: Donald King <donald () SAPPIOS COM>
Date: Tue, 2 Jan 2001 14:52:19 -0600
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, 01 Jan 2001 08:50 am, incubus wrote:
Topic: X-windows can be caused to freeze.
Affects: XFree86 Version 3.3.6 / X Window System [on SuSE 6.4]
Other versions not tested.
Stock XFree86 4.0.1 appears not to be vulnerable. Not so much as a hiccup,
in fact. I'm running Slackware 7.0, but XFree was installed separately so
that shouldn't make a difference.
Note: This entire advisory has been based upon trial and error results.
We can not ensure the information below is 100% correct being that we have
no source code to audit. This document is subject to change without
Um, what? You've gone insane if you think XFree86 doesn't have public
source code. No comprehensible public source code, granted... :-)
I. Problem Description
When a large amount of characters are send to the X-windows deamon (port
6000), X-windows will become laggy for a few secondes, so if one would
send a lot of characters to it, in a continious loop, the server will
freeze!, the only thing that works as far as I know to get X back to work
is a reboot.
Not so. Did you even try the Ctrl-Alt-BkSp kill stroke? If that fails,
you can usually log in remotely and try "killall -TERM X" to give X a
chance to shut down cleanly. And if *that* fails, a "killall -KILL X"
followed by a "unset DISPLAY; X :0.0" should kill X rudely and reset the
video hardware (kill the second X with the kill stroke mentioned before).
And this is all assuming that the X server has truly crashed and that this
isn't just a DoS that will clear up as soon as the attacker stops.
Numerous problems with your code: gcc doesn't like the ISO-8859-1
non-breaking spaces you (or your mail client) used, the program crashes
unless you give it a hostname, it connects to the wrong port due to endian
problems, and it throws away DNS information that it just looked up.
Here's a patch just to get it to run properly (after running "perl -p -e
'tr/\xA0/ /;' < linnuke.c > linnuke.c.new" or equivalent so it will
### Begin diff ###
- --- linnuke.c.old Tue Jan 2 14:41:29 2001
+++ linnuke.c Tue Jan 2 14:26:01 2001
@@ -57,8 +57,8 @@
fprintf(stderr, "Socket() !\n"); exit(sock);
sin.sin_family = AF_INET;
- - sin.sin_port = 6000;
- - sin.sin_addr.s_addr = inet_addr(argv);
+ sin.sin_port = htons(6000);
+ sin.sin_addr.s_addr = *(unsigned long*)hp->h_addr_list;
conn = connect(sock, (struct sockaddr *)&sin, sizeof(sin));
if (conn < 0)
### End diff ###
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----