XDMCP Infinite Loop Denial of Service Vulnerability
BID:1409
Info
XDMCP Infinite Loop Denial of Service Vulnerability
| Bugtraq ID: | 1409 |
| Class: | Failure to Handle Exceptional Conditions |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jun 19 2000 12:00AM |
| Updated: | Jun 19 2000 12:00AM |
| Credit: | This vulnerability was posted to the Bugtraq mailing list on June 19, 2000 by Chris Evans <[email protected]> |
| Vulnerable: |
XFree86 X11R6 4.0 XFree86 X11R6 3.3.6 XFree86 X11R6 3.3.5 XFree86 X11R6 3.3.4 XFree86 X11R6 3.3.3 Open Group X 11.0 R6.4 Open Group X 11.0 R6.3 Open Group X 11.0 R6.2 Open Group X 11.0 R6.1 Open Group X 11.0 R6 |
| Not Vulnerable: | |
Discussion
XDMCP Infinite Loop Denial of Service Vulnerability
A programming flaw exists in OpenDis.c file of libX11 that could result in a denial of service against things listening to XDMCP, including xdm. By altering the contents of the server reply packet to a connection establishment request, it is possible to cause an infinite loop in the affected function. Doing this multiple times can cause a denial of service attack.
The flaw stems from the use of the dpy->resource_mask value, received from the network, to control a loop. By passing a mask value of 0, the loop will never end.
lib/X11/OpenDis.c, ~line 373
mask = dpy->resource_mask;
dpy->resource_shift = 0;
while (!(mask & 1)) {
dpy->resource_shift++;
mask = mask >> 1;
}
A programming flaw exists in OpenDis.c file of libX11 that could result in a denial of service against things listening to XDMCP, including xdm. By altering the contents of the server reply packet to a connection establishment request, it is possible to cause an infinite loop in the affected function. Doing this multiple times can cause a denial of service attack.
The flaw stems from the use of the dpy->resource_mask value, received from the network, to control a loop. By passing a mask value of 0, the loop will never end.
lib/X11/OpenDis.c, ~line 373
mask = dpy->resource_mask;
dpy->resource_shift = 0;
while (!(mask & 1)) {
dpy->resource_shift++;
mask = mask >> 1;
}
Exploit / POC
XDMCP Infinite Loop Denial of Service Vulnerability
See discussion for exploit information.
See discussion for exploit information.
Solution / Fix
XDMCP Infinite Loop Denial of Service Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Altering the code in OpenDis.c to check for mask being 0 will eliminate this problem. Prefacing the while() loop with a check for mask being 0 is one way to do this, as is adding a check in the while loop for values of mask == 0.
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Altering the code in OpenDis.c to check for mask being 0 will eliminate this problem. Prefacing the while() loop with a check for mask being 0 is one way to do this, as is adding a check in the while loop for values of mask == 0.
References
XDMCP Infinite Loop Denial of Service Vulnerability
References:
References: