Report forwarded to debian-bugs-dist@lists.debian.org, Stephen Early <sde1000@debian.org>:
Bug#7195; Package xbase.   debian-bugs-dist@lists.debian.orgStephen Early <sde1000@debian.org>  Sorry, this message was lost when this bug report was restored from a backup.   Acknowledgement sent to Riku Saikkonen <rjs@lloke.dna.fi>:
New bug report received and forwarded. Copy sent to Stephen Early <sde1000@debian.org>.   Riku Saikkonen <rjs@lloke.dna.fi>  Sorry, this message was lost when this bug report was restored from a backup.   Received: (at submit) by bugs.debian.org; 7 Feb 1997 18:23:02 +0000 Received: (qmail 15241 invoked from network); 7 Feb 1997 18:19:51 -0000 Received: from isil.lloke.dna.fi (rjs@194.100.32.225) by master.debian.org with SMTP; 7 Feb 1997 18:19:47 -0000 Received: (from rjs@localhost) by isil.lloke.dna.fi (8.7.6/8.7.3) id UAA22758; Fri, 7 Feb 1997 20:14:07 +0200 Date: Fri, 7 Feb 1997 20:14:07 +0200 From: Riku Saikkonen Message-Id: <199702071814.UAA22758@isil.lloke.dna.fi> To: submit@bugs.debian.org Subject: xdm dumps core (remote denial-of-service possible) Package: xbase Version: 3.2-1.1 When xdm runs, it listens on a pseudo-random (the first available) TCP port in the 1024-xxxx range. (Why does it do this? It looks like (from lsof) all X applications spawned by xdm also listen on the same port.) I tried connecting to this port from another host ("telnet anar 1028", where anar is the Debian system running xdm and 1028 is the port it happened to listen on (obtained from netstat -a)). The TCP connection was accepted. I typed "test" into the telnet session, and pressed Return. The telnet connection was closed, and the copy of xdm dumped core (into the directory where I had ran "/etc/init.d/xdm start" from). Running "gdb /usr/bin/X11/xdm core" said that xdm had died "with signal 11, Segmentation fault.", and a stack trace (the "bt" command in gdb) said: #0 0x4018f188 in free () #1 0xbffff394 in ?? () I was able to repeat that bug every time I tried (I always tried it with no users logged in via xdm). The X server and the applications xdm had started (xlogin etc.) didn't die. I am running Debian 1.2.5 (upgraded from 1.1.1 onwards; all packages should be upgraded to the 1.2.5 packages), libc5 5.4.20-1, kernel 2.0.27 (built by me, nothing special, just a set of drivers), on a Pentium-100 using the XF86_S3 server (xserver-s3 3.2-1). I don't think I have anything very special in my xdm configuration; the most non-standard thing is an Xstartup_0 that executes an xclock, an xmessage window, and an `xlock -nolock -onroot'. I don't have X terminals or anything like that, so my /etc/X11/xdm/Xaccess has simply "!*" to deny XDMCP access from all hosts. My /etc/X11/xdm/Xservers has simply ":0 local /usr/X11R6/bin/X". /etc/X11/xdm/xdm-config is unmodified from the Debian-installed one. I suspect this is another instance of the free-pointers-twice problem shown by the new libc that catches it. I think this is a fairly serious problem, since anyone from anywhere on the network can kill your xdm simply by connecting to the right port and typing something; and since the port is in the `user' range (>1024), it is often passed through firewalls where things like the X server port (TCP port 6000) are firewalled. On a more general note, I am wondering why xdm wants to listen on a `user' TCP port at all. If I start X with `startx', this user-port-listening doesn't happen; the X server listens on 6000 (or 6001 or ...), but none of the X applications listen on any TCP or UDP port. Could xdm be persuaded not to listen on the >1024 TCP port at all? This should be good for security... -- -=- Rjs -=- rjs@spider.compart.fi, rjs@lloke.dna.fi