XDM buffer overflow could allow a remote attacker to gain access
| xdm-xdmcp-remote-bo (4762) |  Medium Risk |
Description:
XDM and derivative packages (KDM and WDM) shipped with X Window System are vulnerable to a buffer overflow in the xdmcp.c error handling code. The send_failed method copies a host name into a buffer without verifying sufficient memory space. By sending over 256 characters, a remote attacker can overflow the buffer and gain access to the system. If XDM is run as root, the attacker could gain root privileges. It may be possible to cause a denial of service by crashing XDM.
Platforms Affected:
- RedHat, Linux 6.2
- RedHat, Linux 7
- RedHat, Linux 7.1
- RedHat, Linux 7.2
- RedHat, Linux 7.3
- XFree86, XFree86
Remedy:
For Red Hat Linux 6.2:
Upgrade to the latest version of XFree86 (3.3.6-29 or later), as listed in RHSA-2001:071-05. See References.
For Red Hat Linux 7.0 and 7.1:
Upgrade to the latest version of XFree86 (3.3.6-38 or later), as listed in RHSA-2001:071-05. See References.
As a workaround, disable XDMCP listening.
Consequences:
Gain Access
References:
- BugTraq Mailing List, Mon Jun 19 2000 - 17:51:43 CDT, XFree86: xdm flaw; present in kdm at http://archives.neohapsis.com/archives/bugtraq/2000-06/0167.html.
- RHSA-2001-071: New updated XFree86 packages available
Reported:
Jun 19, 2000
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net