GNOME gdm XDMCP Buffer Overflow Vulnerability
BID:1233
Info
GNOME gdm XDMCP Buffer Overflow Vulnerability
| Bugtraq ID: | 1233 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2000-0491 |
| Remote: | Yes |
| Local: | No |
| Published: | May 22 2000 12:00AM |
| Updated: | Jul 11 2009 01:56AM |
| Credit: | This vulnerability was posted to the Bugtraq mailing list on May 22, 2000 by Chris Evans <[email protected]> |
| Vulnerable: |
Martin K. Peterson gdm 2.2 .0 Martin K. Peterson gdm 2.0 .x BETA Martin K. Peterson gdm 1.0 .x |
| Not Vulnerable: |
Turbolinux Turbolinux 6.0 Slackware OpenLinux 7.0 Slackware Linux 4.0 Slackware Linux 3.9 Slackware Linux 3.6 Slackware Linux 3.5 Slackware Linux 3.4 Slackware Linux 3.3 Redhat Linux 6.2 i386 Redhat Linux 6.1 i386 Redhat Linux 6.0 Mandriva Linux Mandrake 7.0 Mandriva Linux Mandrake 6.1 Mandriva Linux Mandrake 6.0 Debian Linux 2.3 Debian Linux 2.2 Debian Linux 2.1 |
Discussion
GNOME gdm XDMCP Buffer Overflow Vulnerability
A buffer overrun exists in the XDMCP handling code used in 'gdm', an xdm replacement, shipped as part of the GNOME desktop. By sending a maliciously crafted XDMCP message, it is possible for a remote attacker to execute arbitrary commands as root on the susceptible machine. The problem lies in the handling of the display information sent as part of an XDMCP 'FORWARD_QUERY' request.
By default, gdm is not configured to listen via XDMCP. The versions of gdm shipped with RedHat 6.0-6.2, Helix GNOME and gdm built from source are not vulnerable unless they were configured to accept XDMCP requests. This is configured via the /etc/X11/gdm/gdm.conf on some systems, although this file may vary. If the "Enable" variable is set to 0, you are not susceptible.
A buffer overrun exists in the XDMCP handling code used in 'gdm', an xdm replacement, shipped as part of the GNOME desktop. By sending a maliciously crafted XDMCP message, it is possible for a remote attacker to execute arbitrary commands as root on the susceptible machine. The problem lies in the handling of the display information sent as part of an XDMCP 'FORWARD_QUERY' request.
By default, gdm is not configured to listen via XDMCP. The versions of gdm shipped with RedHat 6.0-6.2, Helix GNOME and gdm built from source are not vulnerable unless they were configured to accept XDMCP requests. This is configured via the /etc/X11/gdm/gdm.conf on some systems, although this file may vary. If the "Enable" variable is set to 0, you are not susceptible.
Exploit / POC
GNOME gdm XDMCP Buffer Overflow Vulnerability
x
x
Solution / Fix
GNOME gdm XDMCP Buffer Overflow Vulnerability
Solution:
Changing the contents of the 'Enable' variable to 0 in the gdm configuration file (often /etc/X11/gdm/gdm.conf) will eliminate this vulnerability.
Update available:
Solution:
Changing the contents of the 'Enable' variable to 0 in the gdm configuration file (often /etc/X11/gdm/gdm.conf) will eliminate this vulnerability.
Update available:
References
GNOME gdm XDMCP Buffer Overflow Vulnerability
References:
References: