Bug 56971 (CVE-2004-0419)

<!-- SBZ_reproduce  -->
Date: Thu, 10 Jun 2004 10:50:54 +0200 
From: Thomas Adomeit <Thomas.Adomeit@eplus.de> 
To: security@suse.de 
Subject: [security@suse.de] Security related Bug - xdm opens random tcp 
sockets 
 
Hi, 
i've  found a open network port in SuSE 9.1 that can't closed (except to 
disable xdm completely): 
---------------------------------------------------------------------------------------------------------------------------- 
---------------- 
host02:/etc/X11/xdm # lsof -i -P | grep xdm 
xdm     11765     root    4u  IPv4  16673       TCP *:1026 (LISTEN) 
xdm     11781     root    4u  IPv4  16673       TCP *:1026 (LISTEN) 
 
XDMCP is disabled: 
------------------------------ 
host02:/etc/X11/xdm # grep -i requestPort xdm-config 
DisplayManager.requestPort:     0 
 
This security issue is documented on SecurityTracker.com (Xdm May Open 
Random TCP Sockets, Alert ID: 1010306). The vendor (xfree86) has issued a 
patch (see attached Buzilla report). 
 
Is SuSE planning to apply this patch to XFree package? 
 
Best regards 
Thomas Adomeit 
 
================================================================================= 
 
Bug 16376 - xdm opens random tcp sockets 
      XFree86 Bugzilla 
 
Bugzilla Version 2.17.7 
            Bugzilla Bug 16376 
       xdm opens random tcp sockets Last modified: 2004-06-01 07:11 
     Query page      Enter new bug 
---------------------------------------------------------------------------- 
 
   Bug#:  1376    Hardware:   All DEC HP Macintosh PC SGI Sun IA32 IA64 PPC 
PPC64 Alpha Sparc MIPS ARM S390 AMD64 Other    Reporter:  Steve Rumble 
<rumble@ephemeral.org> 
      Product:   Application Client Libraries Cygwin Xserver Drivers Fonts 
I18N Input Drivers kdriver Server Test Suites Xfree86 Bugzilla XFree86 
Server XFree86 Website    OS:   All Windows 3.1 Windows 95 Windows 98 
Windows ME Windows 2000 Windows NT Windows XP Mac System 7 Mac System 7.5 
Mac System 7.6.1 Mac System 8.0 Mac System 8.5 Mac System 8.6 Mac System 
9.0 
Mac System 9.x Mac OS X 10.0 Mac OS X 10.1 Mac OS X 10.2 Mac OS X 10.3 
Linux 
BSDI FreeBSD NetBSD OpenBSD AIX BeOS HP-UX IRIX Neutrino OpenVMS OS/2 OSF/1 
Solaris SunOS other    Add CC: 
      Component:   All appres bdftopcf beforelight bitmap cxpm luit other 
twm xedit xf86cfg xkbcomp xterm    Version:   3.x 4.0 4.1 4.2 4.3 4.4 
CVS_head unspecified    CC: 
      Status:  RESOLVED   Priority:   P1 P2 P3 P4 P5 
      Resolution:  FIXED    Severity:   blocker critical major normal minor 
trivial enhancement 
      Assigned To:  XFree86 Developer Issue <developer@bugs.XFree86.org> 
      URL: 
      Summary: 
 
      Attachment Type Created Size Actions 
      Create a New Attachment (proposed patch, testcase, etc.)  View All 
 
      Bug 16376 depends on:    Show dependency tree 
      Show dependency graph 
      Bug 16376 blocks: 
 
Additional Comments: 
 
 
 Leave as RESOLVED FIXED 
 Reopen bug 
 Mark bug as VERIFIED 
 Mark bug as CLOSED 
 
View Bug Activity   |   Format For Printing 
 
 
---------------------------------------------------------------------------- 
 
---- 
      Description:    Opened: 2004-05-19 21:44 
 
Even when DisplayManager.requestPort is set to 0, xdm will open a chooserFd 
tcp 
socket on all interfaces. This apparently cannot be disabled by 
configuration 
and presents a possible security risk. Older versions of xdm/socket.c 
appear 
to 
have checked and aborted if request_port == 0, but the current one does 
not. 
Perhaps it was mistakenly forgotten while refactoring the code. 
 
The following patch should resolve the issue: 
 
Index: socket.c 
=================================================================== 
RCS file: /cvs/xc/programs/xdm/socket.c,v 
retrieving revision 3.16 
diff -u -r3.16 socket.c 
--- socket.c    30 Mar 2004 17:22:46 -0000      3.16 
+++ socket.c    20 May 2004 01:33:02 -0000 
@@ -66,6 +66,9 @@ 
     char *name = localHostname (); 
     registerHostname (name, strlen (name)); 
 
+    if (request_port == 0) 
+       return; 
+ 
 #if defined(IPv6) && defined(AF_INET6) 
     chooserFd = socket (AF_INET6, SOCK_STREAM, 0); 
     if (chooserFd < 0) 
------- Additional Comment #1 From dawes@xfree86.org 2004-05-19 
22:25 ------- 
committed -- thanks. 
------- Additional Comment #2 From Mark Cox 2004-06-01 07:11 ------- 
I'm allocating this a CVE name since it has security consequences and 
affects 
some shipping versions of XFree86 (for example the flaw is part of a 
backported 
patch applied to Red Hat Enterprise Linux - although xdm is not enabled by 
default) 
 
CAN-2004-0419

This problem still seems to happen for current X.Org of STABLE (CVS-040603). 
I'll check 9.1/SLES9 later. 
 
> lsof -i -P|grep xdm 
xdm        9558   root    4u  IPv6 394498       TCP *:34567 (LISTEN) 
xdm        9572   root    4u  IPv6 394498       TCP *:34567 (LISTEN) 
 
/etc/X11/xdm/xdm-config: 
[...] 
DisplayManager.requestPort:     0 
 

Ok. The problem exists on 9.1/SLES9 as well. What should be done? Do we need a 
security update for all maintained and boxed products or does this only need 
to be fixed for STABLE? Or only STABLE and SLES9? 

What are these open ports used for? 

AFAIK these are for XDMCP requests ("X -query hostname", etc.). The check was 
removed between CVS revision 3.10 and 3.11. 
 
revision 3.11 
date: 2003/07/09 15:27:39;  author: tsi;  state: Exp;  lines: +416 -39 
[...] 
 
This means that currently only SuSE 9.1/SLES9 and STABLE is affected by this 
problem. 

Ok, these one need an update. I'll write a patchinfo file foe SL9.1 as soon as 
my home is remounted rw.. 

wotan is rw mounted back. :-) 

Created attachment 21189 [details]
patchinfo.xfree

Please check for corectness.

DISTRIBUTION: sles8-slec-i386 
              ^^^^^^^^^^^^^^^ 
Shouldn't this be "9.1-i386, 9.1-x86_64" for SL 9.1? 
 
PACKAGE: XFree86 
PACKAGER: sndirsch@suse.de 
CATEGORY: security 
INDICATIONS: Everyone using X should update. 
CONTRAINDICATIONS: 
CD-Produkt-Name: 
CD-Produkt-Version: 
REQUIRES: 
DESCRIPTION: 
A buffer overflow in the X server can be triggered by using a malformed 
font.alias file. This bug can be used to gain local root privilege. 
 
Thomas, as I said before only 9.1/SLES9 and STABLE are affected. IMHO we 
should fix the problem for 9.1/SLES9 and submit a new XFree86 package to be 
checked in for SLES9 RC2 and provide a patchinfo file for SuSE 9.1. Of course 
I'll also fix the problem for STABLE/9.2 as well. 

Uhm, that is the wrong patchinfo... sorry 

Created attachment 21195 [details]
patchinfo-box.xfree

Looks better, but isn't xdm listening? You write that the Xserver is  
listening ... 
 
Security Update: 
This update resolves random listening to ports by the X server 
that allows to connect via the XDMCP. 
DESCRIPTION_DE: 
Sicherheits-Update: 
Mit diesem Update wird verhindert, dass der Xserver wahllos an Ports 
lauscht, zu denen man eine Verbindung mit Hilfe des XDMCP Protokolls 
aufbauen kann. 

You are right. 

submitted for SLES9/9.1 (including patchinfo file for 9.1-i386,9.1-x86_64) 
and STABLE now. Assigning to reporter for further tracking. 

BTW, I've also tested this patch. No open ports of xdm any more. :-) 

Thanks. 

I would like to delay this as I just received a fix for a broken switchmode 
implementation (resolution switching) on i810/i815 chipsets which simply 
terminates the Xserver (Bug 56945). 

the packages are not in autobuild stats yet. so remove them before they are 
checked in and prove new ones... no problem! 

Ok. I submitted now a XFree86 package with the fix for i180 driver in and  
adjusted the patchinfo file. 
  
/work/src/done/9.1/XFree86 
/work/src/done/PATCHINFO/patchinfo-box.XFree86 

> /work/src/done/9.1/XFree86 
 
checked in now. 

packages approved 

CVE-2004-0419: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)