ok, i was playing around with netcat, and expiereinced the following
issue(i
attempted with stock RH 6.0 gnome dist, and october release gnome
dist).
not certain where the problem lies, my guess is somewhere within
gnome-ses,
but i'm not certain, as my core debug skills are a bit weak.
to make the problem recur:
1. use nmap (remote) or lsof (local) to discern what port gnome-ses
is running on.
it is a port > 1024, and i've seen it range between
1350 and 2100.
2. use netcat to send data to the port in the following manner:
nc host.example.org 1353 < /boot/vmlinuz | nc host.example.org 1353
this dumps the kernel image to the gnome-ses port(it is likely not 1353
on your box, it dynamically picks a port at startup)
and it dumps the output from the gnome-ses port to another connection
of the gnome-ses port. It doesn't matter what you
dump, as long as it is somewhat large.
This will crash an open X session, even from remote. I do not know a
lot about gnome, but i do know X sessions
crashing is generally regarded as a "Bad Thing". I poked at the code a
bit, but couldn't find the piece where
this is likely happening. Gnome-ses runs as the owner of the X Session,
is TCP based, and hence, if this is
an overflow, it seems likely that this could be exploited remotely
(very very bad thing for people who use root to use X).
please check this out, and hopefully, we can get a working fix/exploit
together to take to the gnome folks.
Ryan
Received on Oct 18 1999
Intro
