Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Securax Advisory 11
From: Donald King <donald () SAPPIOS COM>
Date: Tue, 2 Jan 2001 14:52:19 -0600

Hash: SHA1

On Mon, 01 Jan 2001 08:50 am, incubus wrote:
Topic:          X-windows can be caused to freeze.
Announced:      2000-12-26
Affects:        XFree86 Version 3.3.6 / X Window System [on SuSE 6.4]
                Other versions not tested.

Stock XFree86 4.0.1 appears not to be vulnerable.  Not so much as a hiccup,
in fact.  I'm running Slackware 7.0, but XFree was installed separately so
that shouldn't make a difference.

Note: This  entire  advisory has been based upon trial and error results.
We can not ensure the information below is 100% correct being that we have
no  source  code  to audit.  This document is subject to change without
prior notice.


Um, what?  You've gone insane if you think XFree86 doesn't have public
source code.  No comprehensible public source code, granted... :-)

I.  Problem Description

When a large amount of characters are send to the X-windows deamon (port
6000), X-windows  will become laggy  for a few  secondes, so if one would
send a lot of characters to it, in a  continious loop, the server will
freeze!, the only thing that works as far as I know to get X back to work
is a reboot.


Not so.  Did you even try the Ctrl-Alt-BkSp kill stroke?  If that fails,
you can usually log in remotely and try "killall -TERM X" to give X a
chance to shut down cleanly.  And if *that* fails, a "killall -KILL X"
followed by a "unset DISPLAY; X :0.0" should kill X rudely and reset the
video hardware (kill the second X with the kill stroke mentioned before).

And this is all assuming that the X server has truly crashed and that this
isn't just a DoS that will clear up as soon as the attacker stops.

II. Impact


Numerous problems with your code:  gcc doesn't like the ISO-8859-1
non-breaking spaces you (or your mail client) used, the program crashes
unless you give it a hostname, it  connects to the wrong port due to endian
problems, and it throws away DNS information that it just looked up.
Here's a patch just to get it to run properly (after running "perl -p -e
'tr/\xA0/ /;' < linnuke.c > linnuke.c.new" or equivalent so it will

### Begin diff ###
- --- linnuke.c.old       Tue Jan  2 14:41:29 2001
+++ linnuke.c   Tue Jan  2 14:26:01 2001
@@ -57,8 +57,8 @@
    fprintf(stderr, "Socket() !\n");  exit(sock);
   sin.sin_family = AF_INET;
- -  sin.sin_port = 6000;
- -  sin.sin_addr.s_addr = inet_addr(argv[1]);
+  sin.sin_port = htons(6000);
+  sin.sin_addr.s_addr = *(unsigned long*)hp->h_addr_list[0];

   conn = connect(sock, (struct sockaddr *)&sin, sizeof(sin));
  if (conn < 0)
### End diff ###

Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]