XFree86 Xserver Denial of Service Vulnerability

BID:1235

Info

XFree86 Xserver Denial of Service Vulnerability

Bugtraq ID: 1235
Class: Boundary Condition Error
CVE:
Remote: Yes
Local: No
Published: May 18 2000 12:00AM
Updated: May 18 2000 12:00AM
Credit: This vulnerability was posted to the Bugtraq mailing list on May 18, 2000 by Chris Evans <[email protected]>
Vulnerable: XFree86 X11R6 4.0
XFree86 X11R6 3.3.6
+ Debian Linux 2.2
+ Redhat Linux 6.2
XFree86 X11R6 3.3.5
- Redhat Linux 6.1 i386
Not Vulnerable:

Discussion

XFree86 Xserver Denial of Service Vulnerability

A denial of service exists in XFree86 3.3.5, 3.3.6 and 4.0. A remote user can send a malformed packet to the TCP listening port, 6000, which will cause the X server to be unresponsive for some period of time. During this time, the keyboard will not respond to user input, and in some cases, the mouse will also not respond. During this time period, the X server will utilize 100% of the CPU, and can only be repaired by being signaled. This vulnerability exists only in servers compiled with the XCSECURITY #define set. This can be verified by running the following:
strings /path/to/XF86_SVGA | grep "XC-QUERY-SECURITY-1"

To quote the Bugtraq post, by Chris Evans <[email protected]>:
"Observe xc/programs/Xserver/os/secauth.c, AuthCheckSitePolicy():

// dataP is user supplied data from the network
char *policy = *dataP;
int nPolicies;
...
// Oh dear, we can set nPolicies to -1
nPolicies = *policy++;
while (nPolicies) {
// Do some stuff in a loop
...
nPolicies--;
}

So, the counter "nPolicies", if seeded with -1, will decrement towards
about minus 2 billion, then wrap to become positive 2 billion, and head
towards its final destination of 0."

Exploit / POC

XFree86 Xserver Denial of Service Vulnerability

Chris Evans <[email protected]> posted an exploit to Bugtraq for this vulnerability.

Solution / Fix

XFree86 Xserver Denial of Service Vulnerability

Solution:
Solution submitted by Fred Silva <[email protected]>:

Run the X server with the option "-nolisten tcp" set. This option causes the X server to not listen connections from any client. To use this option, simply add it to serverargs variable in the /usr/X11/bin/startx script.

FreeBSD has released fixes for this vulnerability.


XFree86 X11R6 3.3.6

References

XFree86 Xserver Denial of Service Vulnerability

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report