Dave Aitel <dave@immunitysec.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Technical Summary: A double-free weakness in the XDMCP parser of > dtlogin (CDE) results in remote code execution against popular server > operating systems, such as Solaris. Linux is not vulnerable, to > Immunity's knowledge. This attack is performed over UDP port 177. > > dtlogin is also the program that displays the login screen, so killing > it blindly is not recommended. > > The full advisory in pdf form is available at: > http://www.immunitysec.com/downloads/dtlogin.sxw.pdf > > This is one of the new vulnerabilities in the Shellcoder's Handbook. The PDF version of your advisory indicates that your upcoming (29 Mar 2004, according to those patent-happy people over at amazon.com) book includes scripts that can be used to test for the vulnerability. Are you going to provide any scripts or code fragments so that people can test their systems? As things stand, it looks a lot like you're trying to generate book sales by releasing a content-light advisory 6 days before your book comes out. Disabling XDMCP is very easy on Solaris [789] systems, by editing /etc/dt/config/Xconfig. "Dtlogin.requestPort" should be set to "0" like so: Dtlogin.requestPort: 0 If /etc/dt/config/Xconfig does not exist, copy the stock default from /usr/dt/config/Xconfig to /etc/dt/config/Xconfig and edit it: cp /usr/dt/config/Xconfig /etc/dt/config/Xconfig vi /etc/dt/config/Xconfig ... and uncomment the line that reads "# Dtlogin.requestPort: 0" There's even a helpful comment, for those who care to look: # To disable listening for XDMCP requests from X-terminals. XDMCP is only necessary on machines who manage other X servers. So a stand-alone work station whose dtlogin does not manage any other X servers can use the work around listed above. On machines that do need to use XDMCP, see the parameter "Dtlogin.accessFile" (also in /etc/dt/config/Xconfig). It MAY help, but it may not. The dtlogin man page (/usr/dt/share/man/man1/dtlogin.1) says this about it: accessFile To prevent unauthorized XDMCP service and to allow forward- ing of XDMCP IndirectQuery requests, this file contains a database of hostnames which are either allowed direct access to this machine, or have a list of hosts to which queries should be forwarded to. The format of this file is described in the Xaccess section. If not set, all hosts will be allowed XDMCP service. Also make sure to read the section entitled "The Xaccess File." This workaround for machines who need to allow dtlogin to listen for XDMCP may NOT protect against the vulnerability, but it's probably better than nothing. (Here's where having those unreleased scripts would greatly help in testing.) Headless servers that do not run X (do not have a frame buffer) or need to manage any remote X servers should have dtlogin completely disabled. This can be done like so: /etc/init.d/dtlogin stop # should kill dtlogin, but make sure with ps. cd /etc/rc2.d mkdir Disabled mv S99dtlogin Disabled # Prevents dtlogin from being started # next boot. It's always a good idea to double check that S99dtlogin hasn't been re-created after you install Solaris patches. Johan van Zanten \ "And so once again we find that the evil System Wrangler \ of the past seeps into the present, Tumbleweed Electron Wranglers, Inc. \ like salad dressing through \ cheap waxed paper." - The Tick