Re: Immunity Advisory: dtlogin remote root
Dave Aitel <dave@xxxxxxxxxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Technical Summary: A double-free weakness in the XDMCP parser of
> dtlogin (CDE) results in remote code execution against popular server
> operating systems, such as Solaris. Linux is not vulnerable, to
> Immunity's knowledge. This attack is performed over UDP port 177.
>
> dtlogin is also the program that displays the login screen, so killing
> it blindly is not recommended.
>
> The full advisory in pdf form is available at:
> http://www.immunitysec.com/downloads/dtlogin.sxw.pdf
>
> This is one of the new vulnerabilities in the Shellcoder's Handbook.
The PDF version of your advisory indicates that your upcoming (29 Mar
2004, according to those patent-happy people over at amazon.com) book
includes scripts that can be used to test for the vulnerability. Are you
going to provide any scripts or code fragments so that people can test
their systems? As things stand, it looks a lot like you're trying to
generate book sales by releasing a content-light advisory 6 days before
your book comes out.
Disabling XDMCP is very easy on Solaris [789] systems, by editing
/etc/dt/config/Xconfig. "Dtlogin.requestPort" should be set to "0" like
so:
Dtlogin.requestPort: 0
If /etc/dt/config/Xconfig does not exist, copy the stock default from
/usr/dt/config/Xconfig to /etc/dt/config/Xconfig and edit it:
cp /usr/dt/config/Xconfig /etc/dt/config/Xconfig
vi /etc/dt/config/Xconfig
... and uncomment the line that reads "# Dtlogin.requestPort: 0"
There's even a helpful comment, for those who care to look:
# To disable listening for XDMCP requests from X-terminals.
XDMCP is only necessary on machines who manage other X servers. So a
stand-alone work station whose dtlogin does not manage any other X servers
can use the work around listed above.
On machines that do need to use XDMCP, see the parameter
"Dtlogin.accessFile" (also in /etc/dt/config/Xconfig). It MAY help, but it
may not.
The dtlogin man page (/usr/dt/share/man/man1/dtlogin.1) says this about
it:
accessFile
To prevent unauthorized XDMCP service and to allow forward-
ing of XDMCP IndirectQuery requests, this file contains a
database of hostnames which are either allowed direct access
to this machine, or have a list of hosts to which queries
should be forwarded to. The format of this file is
described in the Xaccess section. If not set, all hosts
will be allowed XDMCP service.
Also make sure to read the section entitled "The Xaccess File."
This workaround for machines who need to allow dtlogin to listen for
XDMCP may NOT protect against the vulnerability, but it's probably better
than nothing.
(Here's where having those unreleased scripts would greatly help in
testing.)
Headless servers that do not run X (do not have a frame buffer) or need
to manage any remote X servers should have dtlogin completely disabled.
This can be done like so:
/etc/init.d/dtlogin stop # should kill dtlogin, but make sure with ps.
cd /etc/rc2.d
mkdir Disabled
mv S99dtlogin Disabled # Prevents dtlogin from being started
# next boot.
It's always a good idea to double check that S99dtlogin hasn't been
re-created after you install Solaris patches.
Johan van Zanten \ "And so once again we find that the evil
System Wrangler \ of the past seeps into the present,
Tumbleweed Electron Wranglers, Inc. \ like salad dressing through
\ cheap waxed paper." - The Tick