SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#179804

Common Desktop Environment (CDE) dtlogin XDMCP parser improperly deallocates memory

Overview

A "double-free" vulnerability in the CDE dtlogin program could allow a remote attacker to execute arbitrary code or cause a denial of service on a vulnerable system.

I. Description

The Common Desktop Environment (CDE) is an integrated graphical user interface that runs on UNIX and Linux operating systems. The dtlogin program contains a "double-free" vulnerability that can be triggered by a specially crafted X Display Manager Control Protocol (XDMCP) packet.

II. Impact

Depending on configuration, operating system, and platform architecture, an unauthenticated, remote attacker could execute arbitrary code, read sensitive information, or cause a denial of service.

III. Solution

The CERT/CC is currently unaware of a practical solution to this problem. Updated vendor information will be made available in the Systems Affected section below.

Block or Restrict XDMCP Traffic

Block XDMCP traffic (177/udp) from untrusted networks such as the Internet. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from the internal network. In most cases, it is trivial for an attacker to spoof the source of a UDP packet, so restricting xdmcp access to specific IP addresses may be ineffective. Consider network configuration and service requirements before deciding what changes are appropriate.

Disable xdmcp in dtlogin

Depending on service requirements, disable XDMCP support in dtlogin.

On a SunOS 5.8 system:

/usr/dt/config/Xconfig

/etc/dt/config/Xconfig

#  To disable listening for XDMCP requests from X-terminals.
#
Dtlogin.requestPort:       0

Systems Affected

VendorStatusDate NotifiedDate Updated
Cray Inc.Unknown24-Mar-2004
EMC CorporationUnknown24-Mar-2004
Hewlett-Packard CompanyVulnerable18-Jun-2004
IBMVulnerable18-Jun-2004
SCOVulnerable4-Apr-2004
SGIVulnerable10-May-2005
Sun Microsystems Inc.Vulnerable23-Jun-2004
The Open GroupUnknown24-Mar-2004
Xi GraphicsUnknown24-Mar-2004

References


http://lists.immunitysec.com/pipermail/dailydave/2004-March/000402.html
http://www.securityfocus.com/archive/1/358380
http://www.securityfocus.com/archive/1/358426
http://secunia.com/advisories/11210/
http://secunia.com/advisories/11214/
http://secunia.com/advisories/11614/
http://secunia.com/advisories/11495/

Credit

This vulnerability was publicly reported by Dave Aitel of Immunity, Inc.

This document was written by Art Manion.

Other Information

Date Public:2004-03-23
Date First Published:2004-03-24
Date Last Updated:2004-06-23
CERT Advisory: 
CVE-ID(s):CAN-2004-0368
NVD-ID(s):CAN-2004-0368
US-CERT Technical Alerts: 
Metric:25.82
Document Revision:23

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader