SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#312313

Solaris X Window Font Service (XFS) daemon contains buffer overflow in Dispatch() function

Overview

A remotely exploitable buffer overflow has been discovered in the Solaris X Window Font Service (XFS) daemon (fs.auto).

I. Description

ISS X-Force released an Advisory today regarding a remotely exploitable buffer overflow in XFS. According to ISS, XFS is installed and running by default on the following operating systems and architectures:
  • Sun Microsystems Solaris 2.5.1 (Sparc/Intel)
  • Sun Microsystems Solaris 2.6 (Sparc/Intel)
  • Sun Microsystems Solaris 7 (Sparc/Intel)
  • Sun Microsystems Solaris 8 (Sparc/Intel)
  • Sun Microsystems Solaris 9 (Sparc)
  • Sun Microsystems Solaris 9 Update 2 (Intel)
According to the ISS Advisory, the buffer overflow exists in the fs.auto Dispatch() function. Because this function accepts user supplied data, an attacker can send overly large XFS queries to the XFS service and either cause it to crash or execute arbitrary code with the same privileges as the XFS service (typically nobody).

II. Impact

A remote attacker can execute arbitrary code with the privileges of the fs.auto daemon (typically nobody) or cause a denial of service by crashing the service.

III. Solution

Apply a vendor patch when it becomes available.
  • Ingress Filtering - It may be possible to limit the scope of this vulnerability by applying ingress filtering (blocking access to TCP port 7100 at your network perimeter). Note: You should carefully consider the impact of blocking services that you may be using.
  • Disable XFS Service - To disable the XFS Service, comment out the following line in /etc/inetd.conf (remember to restart inetd after making this change)

    fs              stream  tcp     wait nobody /usr/openwin/lib/fs.auto    fs

Systems Affected
VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Not Vulnerable26-Nov-2002
Cray Inc.Not Vulnerable26-Nov-2002
FujitsuNot Vulnerable3-Dec-2002
Hewlett-Packard CompanyVulnerable6-Dec-2002
IBMVulnerable11-Dec-2002
Microsoft CorporationNot Vulnerable26-Nov-2002
NetBSDNot Vulnerable25-Nov-2002
Nortel NetworksVulnerable17-Dec-2002
OpenBSDVulnerable5-Dec-2002
Red Hat Inc.Not Vulnerable4-Dec-2002
SGINot Vulnerable4-Dec-2002
Sun Microsystems Inc.Vulnerable25-Nov-2002
SuSE Inc.Not Vulnerable2-Dec-2002
Xerox CorporationVulnerable30-May-2003
XFree86Vulnerable5-Dec-2002

References


http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21541
http://docs.sun.com/db/doc/806-7072/6jfvjtg1l?q=xfs&a=view

Credit

ISS X-Force discovered this vulnerability.

This document was written by Ian A Finlay.

Other Information

Date Public:2002-11-25
Date First Published:2002-11-25
Date Last Updated:2003-05-30
CERT Advisory:CA-2002-34
CVE-ID(s):CAN-2002-1317
NVD-ID(s):CAN-2002-1317
US-CERT Technical Alerts: 
Metric:28.12
Document Revision:13

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader