发布时间 :2004-08-18 00:00:00
修订时间 :2010-08-21 00:20:27

[原文]XDM in XFree86 opens a chooserFd TCP socket even when DisplayManager.requestPort is 0, which could allow remote attackers to connect to the port, in violation of the intended restrictions.

[CNNVD]XFree86 XDM RequestPort随机打开TCP套接口漏洞(CNNVD-200408-147)

        XFree86 XDM会在接口上随机打开一些TCP套接口端口,导致这些端口可被攻击者利用。
        XFree86 XDM即使当DisplayManager.requestPort设置为0,xdm也会在所有接口上打开chooserFd套接口。这会导致某些安全问题的产生。如攻击者可利用打开的端口而不被怀疑。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:gentoo:linux:1.4Gentoo Linux 1.4

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10161XDM in XFree86 opens a chooserFd TCP socket even when DisplayManager.requestPort is 0, which could allow remote attackers to connect to the ...

- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  OPENBSD  20040526 008: SECURITY FIX: May 26, 2004
(UNKNOWN)  XF  xdm-socket-gain-access(16264)

- 漏洞信息

XFree86 XDM RequestPort随机打开TCP套接口漏洞
高危 设计错误
2004-08-18 00:00:00 2005-10-20 00:00:00
        XFree86 XDM会在接口上随机打开一些TCP套接口端口,导致这些端口可被攻击者利用。
        XFree86 XDM即使当DisplayManager.requestPort设置为0,xdm也会在所有接口上打开chooserFd套接口。这会导致某些安全问题的产生。如攻击者可利用打开的端口而不被怀疑。

- 公告与补丁

        Index: socket.c
        RCS file: /cvs/xc/programs/xdm/socket.c,v
        retrieving revision 3.16
        diff -u -r3.16 socket.c
        --- socket.c 30 Mar 2004 17:22:46 -0000 3.16
        +++ socket.c 20 May 2004 01:33:02 -0000
        @@ -66,6 +66,9 @@
         char *name = localHostname ();
         registerHostname (name, strlen (name));
        + if (request_port == 0)
        + return;
         #if defined(IPv6) && defined(AF_INET6)
         chooserFd = socket (AF_INET6, SOCK_STREAM, 0);
         if (chooserFd < 0)

- 漏洞信息

OpenBSD XFree86 xdm Random TCP Port Listening
Remote / Network Access Misconfiguration
Loss of Integrity Patch / RCS
Exploit Unknown

- 漏洞描述

XFree86 - used in some versions of OpenBSD - contains a flaw where XFree86 listens for queries on a random TCP port, even when the service is disabled. It is possible that the flaw may allow unintended remote access resulting in a loss of integrity.

- 时间线

2004-05-19 Unknow
Unknow 2004-05-19

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, OpenBSD has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

XFree86 XDM RequestPort Random Open TCP Socket Vulnerability
Design Error 10423
Yes No
2004-05-27 12:00:00 2009-07-12 05:16:00
Discovery of this vulnerability is credited to Steve Rumble <>.

- 受影响的程序版本

XFree86 xdm CVS
+ OpenBSD OpenBSD 3.5 X11R6 6.7 .0
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ SCO Unixware 7.1.4
+ SCO Unixware 7.1.3 up
+ SCO Unixware 7.1.3
+ SCO Unixware 7.1.1
RedHat Linux 9.0 i386
RedHat Linux 7.3
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux ES 3
RedHat Desktop 3.0
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 3
Gentoo Linux 1.4
Avaya Modular Messaging (MSS) 2.0
Avaya Modular Messaging (MSS) 1.1
Avaya MN100
Avaya Intuity LX

- 漏洞讨论

xdm is reported prone to a potential security vulnerability that may lead to a false sense of security. A problem reported in xdm, is reported to result in a false sense of security because even though DisplayManager.requestPort is set to 0, xdm will open a chooserFd TCP socket on all interfaces.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: &lt;;.

- 解决方案

Red Hat has released advisory RHSA-2004:478-13 and fixes to address this and other issues on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

OpenBSD has released a source code patch to address this issue in OpenBSD 3.5.

Gentoo Linux has released advisory GLSA 200407-05 addressing this issue. Please see the referenced advisory for further information. Users of affected packages are urged to execute the following commands as superuser:
If you are running the version of X:
emerge sync
emerge -pv ">=x11-base/xorg-x11-6.7.0-r1"
emerge ">=x11-base/xorg-x11-6.7.0-r1"
If you are running the XFree86 version of X:
emerge sync
emerge -pv ">=x11-base/xfree-4.3.0-r6"
emerge ">=x11-base/xfree-4.3.0-r6"

Mandrake Linux has released an advisory (MDKSA-2004:073) to address this issue. Please see the referenced advisory for further information.

Avaya has released an advisory indicating vulnerable packages. Avaya has suggested that upgrades will be available to address this issue. Please see the advisory at the following location for more information:

Fedora Legacy has released advisory FLSA-2005:2314 dealing with this and other issues for the Fedora Core 1 and RedHat Linux packages. Please see the referenced advisory for more information.

- 相关参考