Your Ad Here

Monday, December 1, 2008

CDE DTLogin X-Windows XDMCP Double Free

CDE DTLogin X-Windows XDMCP Double Free
Affected Systems:
SystemOperating System


Solaris 8 **
Description:
A double free vulnerability exists in the X Windows Desktop Manager Control Protocol (XDMCP) service bundled with most X Windows implementations.
Recommendation:
For systems that do not require the X Windows system, dtlogin may be disabled. To disable dtlogin perform the following actions:

1. stop dtlogin with the following command "/etc/init.d/dtlogin stop"
2. move the file "dtlogin" out of the "/etc/init.d" directory


To disable handling of XDMCP requests sent from remote hosts perform the following actions:

1. stop dtlogin with the following command "/etc/init.d/dtlogin stop"
2. edit the file "/etc/dt/config/Xconfig" and uncomment the line reading "Dtlogin.requestPort:0"
3. restart dtlogin with the following command "/etc/init.d/dtlogin start"


Patches for this vulnerability may be obtained from the following locations:

IBM AIX 4.3.3, IBM APAR IY55362
http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

IBM AIX 5.1, IBM APAR IY55361
http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

IBM AIX 5.2, IBM APAR IY55360
http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

Sun Solaris 8.0 x86, Patch 108920-21
http://sunsolve.sun.com/search/document.do?assetkey=1-21-108919-21-1

Sun Solaris 8.0, Patch 108919-21
http://sunsolve.sun.com/search/document.do?assetkey=1-21-108919-20-1

Sun Solaris 9.0 x86, Patch 114210-08
http://sunsolve.sun.com/search/document.do?assetkey=1-21-114210-08

Sun Solaris 9.0, Patch 112807-09
http://sunsolve.sun.com/search/document.do?assetkey=1-21-112807-10-1
Observation:
The X Windows Desktop Manager Control Protocol (XDMCP) is used to manage X Windows sessions on remote computers.

A double free vulnerability exists in the dtlogin daemon responsible for handling XDMCP requests. By sending a maliciously crafted request to UDP port 177 of an affected system it is possible to cause the target to free a chunk of dynamically allocated memory more than once. Freeing of memory more than once results in corruption of heap memory and may allow for remote code execution.

Foundstone detected this vulnerability by sending a maliciously crafted request to the XDMCP service on UDP port 177 and then probing to see if the service continued to service requests.


Affected Systems:

Sun Solaris 7.0, 8.0, 9.0
HP-UX 11.x
IBM AIX 4.3.3, 5.1, 5.2
Common Desktop Environment (CDE) 1.0.1, 1.0.2, 1.1, 1.2, 2.0, 2.1,


For more information see:

CERT Vulnerability Note VU#179804:
http://www.kb.cert.org/vuls/id/179804

BID 9958:
http://www.securityfocus.com/bid/9958
Common Vulnerabilities & Exposures (CVE) Link:
CVE-2004-0368

No comments: