CVE-2002-1510
CVSS10.0
发布时间 :2003-03-03 00:00:00
修订时间 :2008-09-05 16:30:47
NMCOS    

[原文]xdm, with the authComplain variable set to false, allows arbitrary attackers to connect to the X server if the xdm auth directory does not exist.


[CNNVD]XFree86 4.1.0缺少authDir的未认证xdm连接漏洞(CNNVD-200303-029)

        将authComplain变量设为false的xdm存在漏洞。任意攻击者可以利用该漏洞在xdm auth目录不存在的情况下连接X服务器。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1510
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1510
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-029
(官方数据源) CNNVD

- 其它链接及资源

http://www.iss.net/security_center/static/11389.php
(VENDOR_ADVISORY)  XF  xfree86-xdm-unauth-access(11389)
http://wuarchive.wustl.edu/mirrors/NetBSD/NetBSD-current/xsrc/xfree/xc/programs/Xserver/hw/xfree86/CHANGELOG
(VENDOR_ADVISORY)  MISC  http://wuarchive.wustl.edu/mirrors/NetBSD/NetBSD-current/xsrc/xfree/xc/programs/Xserver/hw/xfree86/CHANGELOG
http://www.redhat.com/support/errata/RHSA-2003-065.html
(UNKNOWN)  REDHAT  RHSA-2003:065
http://www.redhat.com/support/errata/RHSA-2003-064.html
(UNKNOWN)  REDHAT  RHSA-2003:064
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55602
(UNKNOWN)  SUNALERT  55602
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000533
(UNKNOWN)  CONECTIVA  CLA-2002:533

- 漏洞信息

XFree86 4.1.0缺少authDir的未认证xdm连接漏洞
危急 其他
2003-03-03 00:00:00 2005-05-13 00:00:00
远程  
        将authComplain变量设为false的xdm存在漏洞。任意攻击者可以利用该漏洞在xdm auth目录不存在的情况下连接X服务器。

- 公告与补丁

        XFree86 has released version 4.2.0 which addresses this issue.
        Red Hat updates are available.
        Sun Linux updates have been released to correct this issue.
        XFree86 X11R6 4.0
        

  •         XFree86 X11R6 4.2.0 installation scriptThis is just the installation script. You must acquire the platform specific binary for this distribution from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ or
            http://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ . To determine which distribution you need to download, obtain the installation scr
            ftp://ftp.xfree86.org/pub/XFree86/4.2.0/Xinstall.sh

  •         

        XFree86 X11R6 4.0.1
        

  •         XFree86 X11R6 4.2.0 installation scriptThis is just the installation script. You must acquire the platform specific binary for this distribution from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ or
            http://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ . To determine which distribution you need to download, obtain the installation scr
            ftp://ftp.xfree86.org/pub/XFree86/4.2.0/Xinstall.sh

  •         

        XFree86 X11R6 4.0.3
        

  •         XFree86 X11R6 4.2.0 installation scriptThis is just the installation script. You must acquire the platform specific binary for this distribution from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ or
            http://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ . To determine which distribution you need to download, obtain the installation scr
            ftp://ftp.xfree86.org/pub/XFree86/4.2.0/Xinstall.sh

  •         

        XFree86 X11R6 4.1 .0
        

  •         XFree86 X11R6 4.2.0 installation scriptThis is just the installation script. You must acquire the platform specific binary for this distribution from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ or
            http://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ . To determine which distribution you need to download, obtain the installation scr
            ftp://ftp.xfree86.org/pub/XFree86/4.2.0/Xinstall.sh

  •         

        Sun Linux 5.0.6
        

- 漏洞信息

11758
XFree86 XDM authComplain Variable Connection Restriction Bypass

- 漏洞描述

- 时间线

2001-12-12 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

XFree86 4.1.0 Missing authDir Unauthorized xdm Connection Vulnerability
Origin Validation Error 3965
Yes No
2002-01-19 12:00:00 2009-07-11 09:56:00
Minimal information about this issue was disclosed on the XFree86 security page on January 19th, 2002. Credit for discovery was not given.

- 受影响的程序版本

XFree86 X11R6 4.1 .0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Advanced Workstation for the Itanium Processor 2.1
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 i386
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 7.0
XFree86 X11R6 4.0.3
+ RedHat Linux 7.1
XFree86 X11R6 4.0.1
+ RedHat Linux 7.0
XFree86 X11R6 4.0
XFree86 X11R6 3.3.6
+ Debian Linux 2.2
+ Red Hat Linux 6.2
XFree86 X11R6 3.3.5
- RedHat Linux 6.1 i386
XFree86 X11R6 3.3.4
XFree86 X11R6 3.3.3
XFree86 X11R6 3.3.2
+ Mandriva Linux Mandrake 8.0
XFree86 X11R6 3.3
Sun Linux 5.0.6
XFree86 X11R6 4.2 .0
+ Conectiva Linux Enterprise Edition 1.0
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Workstation 8.0

- 不受影响的程序版本

XFree86 X11R6 4.2 .0
+ Conectiva Linux Enterprise Edition 1.0
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Workstation 8.0

- 漏洞讨论

XFree86 is a popular multi-platform X server. The xdm (X Display Manager) component manages X displays, performing such tasks as authentication and session execution. xdm can be used to allow a number of X clients on separate machines to connect to a common X server. Upon receiving a connection request, xdm authenticates the user and runs a defined session. Sessions commonly include windowing environments or shells; the default session is <XRoot>/bin/xterm.

xdm makes use of an authentication directory, which it uses to pass authentication information to the X server process. The directory name is configurable, but by default is <XRoot>/lib/X11/xdm.

When the authentication directory (specified by the resource "DisplayManager.authDir" in the configuration file) can't be found, xdm will allow anyone to connect to the X server (as opposed to just those hosts allowed by the XAccess file). This would also proceed without authentication, although the exact privileges gained have not been determined.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

XFree86 has released version 4.2.0 which addresses this issue.

Red Hat updates are available.

Sun Linux updates have been released to correct this issue.


XFree86 X11R6 3.3
  • XFree86 X11R6 4.2.0 installation script
    This is just the installation script. You must acquire the platform specific binary for this distribution from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ or http://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ . To determine which distribution you need to download, obtain the installation scr
    ftp://ftp.xfree86.org/pub/XFree86/4.2.0/Xinstall.sh


XFree86 X11R6 3.3.2
  • XFree86 X11R6 4.2.0 installation script
    This is just the installation script. You must acquire the platform specific binary for this distribution from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ or http://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ . To determine which distribution you need to download, obtain the installation scr
    ftp://ftp.xfree86.org/pub/XFree86/4.2.0/Xinstall.sh


XFree86 X11R6 3.3.3
  • XFree86 X11R6 4.2.0 installation script
    This is just the installation script. You must acquire the platform specific binary for this distribution from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ or http://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ . To determine which distribution you need to download, obtain the installation scr
    ftp://ftp.xfree86.org/pub/XFree86/4.2.0/Xinstall.sh


XFree86 X11R6 3.3.4
  • XFree86 X11R6 4.2.0 installation script
    This is just the installation script. You must acquire the platform specific binary for this distribution from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ or http://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ . To determine which distribution you need to download, obtain the installation scr
    ftp://ftp.xfree86.org/pub/XFree86/4.2.0/Xinstall.sh


XFree86 X11R6 3.3.5
  • XFree86 X11R6 4.2.0 installation script
    This is just the installation script. You must acquire the platform specific binary for this distribution from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ or http://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ . To determine which distribution you need to download, obtain the installation scr
    ftp://ftp.xfree86.org/pub/XFree86/4.2.0/Xinstall.sh


XFree86 X11R6 4.0
  • XFree86 X11R6 4.2.0 installation script
    This is just the installation script. You must acquire the platform specific binary for this distribution from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ or http://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ . To determine which distribution you need to download, obtain the installation scr
    ftp://ftp.xfree86.org/pub/XFree86/4.2.0/Xinstall.sh


XFree86 X11R6 4.0.1
  • XFree86 X11R6 4.2.0 installation script
    This is just the installation script. You must acquire the platform specific binary for this distribution from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ or http://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ . To determine which distribution you need to download, obtain the installation scr
    ftp://ftp.xfree86.org/pub/XFree86/4.2.0/Xinstall.sh


XFree86 X11R6 4.0.3
  • XFree86 X11R6 4.2.0 installation script
    This is just the installation script. You must acquire the platform specific binary for this distribution from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ or http://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ . To determine which distribution you need to download, obtain the installation scr
    ftp://ftp.xfree86.org/pub/XFree86/4.2.0/Xinstall.sh


XFree86 X11R6 4.1 .0
  • XFree86 X11R6 4.2.0 installation script
    This is just the installation script. You must acquire the platform specific binary for this distribution from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ or http://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ . To determine which distribution you need to download, obtain the installation scr
    ftp://ftp.xfree86.org/pub/XFree86/4.2.0/Xinstall.sh


Sun Linux 5.0.6

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站