Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

/usr/bin/xrdb: xdmcp rogue hostname security

Related Vulnerabilities: CVE-2011-0465  

Source

Debian Bug report logs - #621423
/usr/bin/xrdb: xdmcp rogue hostname security

version graph

Package: x11-xserver-utils; Maintainer for x11-xserver-utils is Debian X Strike Force <debian-x@lists.debian.org>; Source for x11-xserver-utils is src:x11-xserver-utils (PTS, buildd, popcon).

Reported by: Paul Szabo <paul.szabo@sydney.edu.au>

Date: Thu, 7 Apr 2011 01:39:01 UTC

Severity: critical

Tags: security

Found in version x11-xserver-utils/7.3+5

Fixed in versions x11-xserver-utils/7.5+3, x11-xserver-utils/7.3+6, x11-xserver-utils/7.6+2

Done: Cyril Brulebois <kibi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#621423; Package x11-xserver-utils. (Thu, 07 Apr 2011 01:39:05 GMT) (full text, mbox, link).

Acknowledgement sent to Paul Szabo <paul.szabo@sydney.edu.au>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian X Strike Force <debian-x@lists.debian.org>. (Thu, 07 Apr 2011 01:39:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Paul Szabo <paul.szabo@sydney.edu.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: /usr/bin/xrdb: xdmcp rogue hostname security
Date: Thu, 07 Apr 2011 11:32:23 +1000
Package: x11-xserver-utils
Version: 7.3+5
Severity: critical
File: /usr/bin/xrdb
Tags: security
Justification: root security hole


About the security bug in xrdb :
  http://security-tracker.debian.org/tracker/CVE-2011-0465
  http://www.ubuntu.com/usn/usn-1107-1
  https://bugs.launchpad.net/ubuntu/+source/x11-xserver-utils/+bug/752315
  http://lists.freedesktop.org/archives/xorg-announce/2011-April/001636.html
  http://cgit.freedesktop.org/xorg/app/xrdb/commit/?id=1027d5df07398c1507fb1fe3a9981aa6b4bc3a56
  http://www.securityfocus.com/bid/47189
As I understand, the result of a breach would be root access on the
server. Debian seems to have flagged this as low priority because xdmcp
is not enabled in default setup; though the issue is exploitable via
dhcp also.

In my environment we use xdmcp for users to log in to our servers.
Could I please have ideas about workaround protection?

I know that gdm uses /etc/hosts.allow and there I added the lines:

ALL : UNKNOWN  : twist /bin/echo 'No name "%n" for address "%a" -\r\n May be DNS failure - Please try again later'
ALL : PARANOID : twist /bin/echo 'Name "%n" and address "%a" mismatch -\r\n May be DNS failure - Please try again later'
gdm : all : allow

However I notice that gdm uses IP address only, not hostname when
evaluating hosts.allow lines, so I wonder about the effectiveness
of this protection.

How would I test whether my setup is vulnerable?

Thanks,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- System Information:
Debian Release: 5.0.8
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-pk04.09-svr (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages x11-xserver-utils depends on:
ii  cpp                         4:4.3.2-2    The GNU C preprocessor (cpp)
ii  libc6                       2.7-18lenny7 GNU C Library: Shared libraries
ii  libice6                     2:1.0.4-1    X11 Inter-Client Exchange library
ii  libsm6                      2:1.0.3-2    X11 Session Management library
ii  libx11-6                    2:1.1.5-2    X11 client-side library
ii  libxau6                     1:1.0.3-3    X11 authorisation library
ii  libxaw7                     2:1.0.4-2    X11 Athena Widget library
ii  libxext6                    2:1.0.4-2    X11 miscellaneous extension librar
ii  libxi6                      2:1.1.4-1    X11 Input extension library
ii  libxmu6                     2:1.0.4-1    X11 miscellaneous utility library
ii  libxmuu1                    2:1.0.4-1    X11 miscellaneous micro-utility li
ii  libxrandr2                  2:1.2.3-1    X11 RandR extension library
ii  libxrender1                 1:0.9.4-2    X Rendering Extension client libra
ii  libxt6                      1:1.0.5-3    X11 toolkit intrinsics library
ii  libxtrap6                   2:1.0.0-5    X11 event trapping extension libra
ii  libxxf86misc1               1:1.0.1-3    X11 XFree86 miscellaneous extensio
ii  libxxf86vm1                 1:1.0.2-1    X11 XFree86 video mode extension l
ii  x11-common                  1:7.3+20     X Window System (X.Org) infrastruc

x11-xserver-utils recommends no packages.

x11-xserver-utils suggests no packages.

-- no debconf information

Reply sent to Cyril Brulebois <kibi@debian.org>:
You have taken responsibility. (Thu, 07 Apr 2011 02:00:06 GMT) (full text, mbox, link).

Notification sent to Paul Szabo <paul.szabo@sydney.edu.au>:
Bug acknowledged by developer. (Thu, 07 Apr 2011 02:00:07 GMT) (full text, mbox, link).

Message #10 received at 621423-done@bugs.debian.org (full text, mbox, reply):

From: Cyril Brulebois <kibi@debian.org>
To: Paul Szabo <paul.szabo@sydney.edu.au>, 621423-done@bugs.debian.org
Subject: Re: Bug#621423: /usr/bin/xrdb: xdmcp rogue hostname security
Date: Thu, 7 Apr 2011 03:56:32 +0200
[Message part 1 (text/plain, inline)]
Hi Paul,

Paul Szabo <paul.szabo@sydney.edu.au> (07/04/2011):
> Package: x11-xserver-utils
> Version: 7.3+5
> Severity: critical
> File: /usr/bin/xrdb
> Tags: security
> Justification: root security hole

http://lists.debian.org/debian-x/2011/04/msg00196.html
http://lists.debian.org/debian-x/2011/04/msg00197.html
http://lists.debian.org/debian-x/2011/04/msg00198.html

so I'd just advise upgrading packages as soon as they are released (a
DSA is pending).

(And closing the bug since we have fixed versions in the pipes.)

KiBi.

[signature.asc (application/pgp-signature, inline)]

Bug Marked as fixed in versions x11-xserver-utils/7.6+2. Request was from Yves-Alexis Perez <corsac@debian.org> to control@bugs.debian.org. (Thu, 07 Apr 2011 06:00:07 GMT) (full text, mbox, link).

Bug Marked as fixed in versions x11-xserver-utils/7.3+6. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Sun, 10 Apr 2011 01:15:26 GMT) (full text, mbox, link).

Bug Marked as fixed in versions x11-xserver-utils/7.5+3. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Sun, 10 Apr 2011 01:15:27 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 02 Jul 2011 07:34:38 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:04:30 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started