A remotely exploitable buffer overflow has been discovered in the Solaris X Window Font Service (XFS) daemon (fs.auto).
ISS X-Force released an Advisory today regarding a remotely exploitable buffer overflow in XFS. According to ISS, XFS is installed and running by default on the following operating systems and architectures:
* Sun Microsystems Solaris 2.5.1 (Sparc/Intel) * Sun Microsystems Solaris 2.6 (Sparc/Intel) * Sun Microsystems Solaris 7 (Sparc/Intel) * Sun Microsystems Solaris 8 (Sparc/Intel) * Sun Microsystems Solaris 9 (Sparc) * Sun Microsystems Solaris 9 Update 2 (Intel)
According to the ISS Advisory, the buffer overflow exists in the fs.auto
Dispatch() function. Because this function accepts user supplied data, an attacker can send overly large XFS queries to the XFS service and either cause it to crash or execute arbitrary code with the same privileges as the XFS service (typically nobody).
A remote attacker can execute arbitrary code with the privileges of the fs.auto daemon (typically nobody) or cause a denial of service by crashing the service.
Apply a vendor patch when it becomes available.
Ingress Filtering - It may be possible to limit the scope of this vulnerability by applying ingress filtering (blocking access to TCP port 7100 at your network perimeter). Note: You should carefully consider the impact of blocking services that you may be using.
* Disable XFS Service - To disable the XFS Service, comment out the following line in `/etc/inetd.conf` (remember to restart `inetd` after making this change)
fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs
Vendor| Status| Date Notified| Date Updated
Hewlett-Packard Company| | -| 06 Dec 2002
IBM| | -| 11 Dec 2002
Nortel Networks| | -| 17 Dec 2002
OpenBSD| | -| 05 Dec 2002
Sun Microsystems Inc.| | -| 25 Nov 2002
Xerox Corporation| | -| 30 May 2003
XFree86| | -| 05 Dec 2002
Apple Computer Inc.| | -| 26 Nov 2002
Cray Inc.| | -| 26 Nov 2002
Fujitsu| | -| 03 Dec 2002
Microsoft Corporation| | -| 26 Nov 2002
NetBSD| | -| 25 Nov 2002
Red Hat Inc.| | -| 04 Dec 2002
SGI| | -| 04 Dec 2002
SuSE Inc.| | -| 02 Dec 2002
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
ISS X-Force discovered this vulnerability.
This document was written by Ian A Finlay.