Vulnerability Note VU#312313

Solaris X Window Font Service (XFS) daemon contains buffer overflow in Dispatch() function

Original Release date: 25 Nov 2002 | Last revised: 30 May 2003

Overview

A remotely exploitable buffer overflow has been discovered in the Solaris X Window Font Service (XFS) daemon (fs.auto).

Description

ISS X-Force released an Advisory today regarding a remotely exploitable buffer overflow in XFS. According to ISS, XFS is installed and running by default on the following operating systems and architectures:

  • Sun Microsystems Solaris 2.5.1 (Sparc/Intel)
  • Sun Microsystems Solaris 2.6 (Sparc/Intel)
  • Sun Microsystems Solaris 7 (Sparc/Intel)
  • Sun Microsystems Solaris 8 (Sparc/Intel)
  • Sun Microsystems Solaris 9 (Sparc)
  • Sun Microsystems Solaris 9 Update 2 (Intel)
According to the ISS Advisory, the buffer overflow exists in the fs.auto Dispatch() function. Because this function accepts user supplied data, an attacker can send overly large XFS queries to the XFS service and either cause it to crash or execute arbitrary code with the same privileges as the XFS service (typically nobody).

Impact

A remote attacker can execute arbitrary code with the privileges of the fs.auto daemon (typically nobody) or cause a denial of service by crashing the service.

Solution

Apply a vendor patch when it becomes available.

Ingress Filtering - It may be possible to limit the scope of this vulnerability by applying ingress filtering (blocking access to TCP port 7100 at your network perimeter). Note: You should carefully consider the impact of blocking services that you may be using.

  • Disable XFS Service - To disable the XFS Service, comment out the following line in /etc/inetd.conf (remember to restart inetd after making this change)

    fs              stream  tcp     wait nobody /usr/openwin/lib/fs.auto    fs

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Hewlett-Packard CompanyAffected-06 Dec 2002
IBMAffected-11 Dec 2002
Nortel NetworksAffected-17 Dec 2002
OpenBSDAffected-05 Dec 2002
Sun Microsystems Inc.Affected-25 Nov 2002
Xerox CorporationAffected-30 May 2003
XFree86Affected-05 Dec 2002
Apple Computer Inc.Not Affected-26 Nov 2002
Cray Inc.Not Affected-26 Nov 2002
FujitsuNot Affected-03 Dec 2002
Microsoft CorporationNot Affected-26 Nov 2002
NetBSDNot Affected-25 Nov 2002
Red Hat Inc.Not Affected-04 Dec 2002
SGINot Affected-04 Dec 2002
SuSE Inc.Not Affected-02 Dec 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

ISS X-Force discovered this vulnerability.

This document was written by Ian A Finlay.

Other Information

  • CVE IDs: CAN-2002-1317
  • CERT Advisory: CA-2002-34
  • Date Public: 25 Nov 2002
  • Date First Published: 25 Nov 2002
  • Date Last Updated: 30 May 2003
  • Severity Metric: 28.12
  • Document Revision: 13

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.