Common Desktop Environment DTLogin XDMCP Parser Remote Double Free Vulnerability
BID:9958
Info
Common Desktop Environment DTLogin XDMCP Parser Remote Double Free Vulnerability
| Bugtraq ID: | 9958 |
| Class: | Design Error |
| CVE: |
CVE-2004-0368 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 23 2004 12:00AM |
| Updated: | Jul 12 2009 03:06AM |
| Credit: | Discovery of this issue is credited to Dave Aitel <[email protected]>. |
| Vulnerable: |
Xi Graphics DeXtop 3.0 Xi Graphics DeXtop 2.1 Sun Solaris 9_x86 Sun Solaris 9 Sun Solaris 8_x86 Sun Solaris 8_sparc Sun Solaris 7.0_x86 Sun Solaris 7.0 SCO Unixware 7.1.4 SCO Unixware 7.1.3 SCO Unixware 7.1.1 Open Group CDE Common Desktop Environment 2.1 20 Open Group CDE Common Desktop Environment 2.1 Open Group CDE Common Desktop Environment 2.0 Open Group CDE Common Desktop Environment 1.2 Open Group CDE Common Desktop Environment 1.1 Open Group CDE Common Desktop Environment 1.0.2 Open Group CDE Common Desktop Environment 1.0.1 IBM AIX 4.3.3 IBM AIX 5.2 IBM AIX 5.1 HP HP-UX 11.23 HP HP-UX 11.22 HP HP-UX 11.11 HP HP-UX 11.0 4 HP HP-UX 11.0 Avaya Interactive Response Avaya CMS Server 11.0 Avaya CMS Server 9.0 Avaya CMS Server 8.0 |
| Not Vulnerable: | |
Discussion
Common Desktop Environment DTLogin XDMCP Parser Remote Double Free Vulnerability
It has been reported that a double free vulnerability exists in the dtlogin process of CDE. This issue presents itself due to the free() function being called on the same allocated chunk of memory more than once. This problem occurs prior to any authorization.
Successful exploitation of this issue could lead to the corruption of an arbitrary location in memory, ultimately allowing for the attacker to control the execution flow of the affected process.
It has been reported that a double free vulnerability exists in the dtlogin process of CDE. This issue presents itself due to the free() function being called on the same allocated chunk of memory more than once. This problem occurs prior to any authorization.
Successful exploitation of this issue could lead to the corruption of an arbitrary location in memory, ultimately allowing for the attacker to control the execution flow of the affected process.
Exploit / POC
Common Desktop Environment DTLogin XDMCP Parser Remote Double Free Vulnerability
It has been reported that an exploit has been developed to leverage this issue, although it is currently not publicly available.
CORE has developed a working commercial exploit for their IMPACT
product. This exploit is not otherwise publicly available or known
to be circulating in the wild.
It has been reported that an exploit has been developed to leverage this issue, although it is currently not publicly available.
CORE has developed a working commercial exploit for their IMPACT
product. This exploit is not otherwise publicly available or known
to be circulating in the wild.
Solution / Fix
Common Desktop Environment DTLogin XDMCP Parser Remote Double Free Vulnerability
Solution:
SCO has released an advisory (SCOSA-2005.18) and fixes to address this issue for UnixWare platforms. Please see the referenced advisory for further information.
Sun has released an updated Security Bulletin (Sun Alert ID: 57539) for this issue that includes fix information for Solaris 7, 8 and 9. Fixes are referenced below.
Avaya has released an advisory that acknowledges this vulnerability in Avaya IR (Interactive Response), and CMS systems. Avaya recommends that customers disable the XDMCP service to workaround this issue, this can be accomplished as follows:
From the command line run:
cp /usr/dt/config/Xconfig /etc/dt/config/Xconfig
vi /etc/dt/config/Xconfig
Uncomment the line that reads:
"# Dtlogin.requestPort: 0"
Restart the dtlogin server.
/etc/rc2.d/S99dtlogin stop
/etc/rc2.d/S99dtlogin start
Avaya report that fixes may be available in the future, further information can be found in the advisory at the following location:
http://support.avaya.com/japple/css/japple?temp.groupID=128450&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=195188&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate()
IBM has released an advisory (APR-27-2004-DTLOGIN) and APARs to address this issue. Customers are advised to apply an appropriate APAR as soon as possible. Further information regarding obtaining and applying APARs can be found in the referenced advisory.
Sun has released a Security Bulletin for this issue that includes fix information. This bulletin has also been revised to include fixes for Solaris 9.0.
HP has released advisory HPSBUX01038 - SSRT4721 dealing with this issue. Please see the referenced advisory for more information and details on obtaining fixes.
Sun has released an updated to their security bulletin providing an expanded workaround/relief section. Please see the referenced web advisory for more information.
SGI has released advisory 20040801-01-P with fixes to address this issue. Please see the referenced advisory for further information.
IBM AIX 5.1
Sun Solaris 7.0
IBM AIX 5.2
Sun Solaris 9
Sun Solaris 9_x86
Sun Solaris 7.0_x86
Sun Solaris 8_x86
Sun Solaris 8_sparc
IBM AIX 4.3.3
SCO Unixware 7.1.1
SCO Unixware 7.1.3
SCO Unixware 7.1.4
Solution:
SCO has released an advisory (SCOSA-2005.18) and fixes to address this issue for UnixWare platforms. Please see the referenced advisory for further information.
Sun has released an updated Security Bulletin (Sun Alert ID: 57539) for this issue that includes fix information for Solaris 7, 8 and 9. Fixes are referenced below.
Avaya has released an advisory that acknowledges this vulnerability in Avaya IR (Interactive Response), and CMS systems. Avaya recommends that customers disable the XDMCP service to workaround this issue, this can be accomplished as follows:
From the command line run:
cp /usr/dt/config/Xconfig /etc/dt/config/Xconfig
vi /etc/dt/config/Xconfig
Uncomment the line that reads:
"# Dtlogin.requestPort: 0"
Restart the dtlogin server.
/etc/rc2.d/S99dtlogin stop
/etc/rc2.d/S99dtlogin start
Avaya report that fixes may be available in the future, further information can be found in the advisory at the following location:
http://support.avaya.com/japple/css/japple?temp.groupID=128450&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=195188&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate()
IBM has released an advisory (APR-27-2004-DTLOGIN) and APARs to address this issue. Customers are advised to apply an appropriate APAR as soon as possible. Further information regarding obtaining and applying APARs can be found in the referenced advisory.
Sun has released a Security Bulletin for this issue that includes fix information. This bulletin has also been revised to include fixes for Solaris 9.0.
HP has released advisory HPSBUX01038 - SSRT4721 dealing with this issue. Please see the referenced advisory for more information and details on obtaining fixes.
Sun has released an updated to their security bulletin providing an expanded workaround/relief section. Please see the referenced web advisory for more information.
SGI has released advisory 20040801-01-P with fixes to address this issue. Please see the referenced advisory for further information.
IBM AIX 5.1
Sun Solaris 7.0
IBM AIX 5.2
Sun Solaris 9
Sun Solaris 9_x86
Sun Solaris 7.0_x86
Sun Solaris 8_x86
Sun Solaris 8_sparc
IBM AIX 4.3.3
SCO Unixware 7.1.1
-
SCO uw711mp5.txt
ftp://ftp.sco.com/pub/unixware7/uw711pk/uw711mp5.txt -
SCO uw711mp5_errata.txt
ftp://ftp.sco.com/pub/unixware7/uw711pk/uw711mp5_errata.txt
SCO Unixware 7.1.3
-
SCO SCOSA-2005.18
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.18
SCO Unixware 7.1.4
-
SCO SCOSA-2005.18
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.18
References
Common Desktop Environment DTLogin XDMCP Parser Remote Double Free Vulnerability
References:
References:
- CDE Product Page (The Open Group)
- dtlogin (CDE) arbitrary free exploit (CORE Security)
- Sun Alert ID: 57539 (Sun)
- Vulnerability Note VU#179804 (US-CERT)
- Xi Graphics Homepage (Xi Graphics)
- Re: Immunity Advisory: dtlogin remote root (Johan A.van Zanten