Solaris X Window Font Service (XFS) daemon contains buffer overflow in Dispatch() function

2002-11-25T00:00:00
ID VU:312313
Type cert
Reporter CERT
Modified 2003-05-30T00:00:00

Description

Overview

A remotely exploitable buffer overflow has been discovered in the Solaris X Window Font Service (XFS) daemon (fs.auto).

Description

ISS X-Force released an Advisory today regarding a remotely exploitable buffer overflow in XFS. According to ISS, XFS is installed and running by default on the following operating systems and architectures:

  • Sun Microsystems Solaris 2.5.1 (Sparc/Intel)
  • Sun Microsystems Solaris 2.6 (Sparc/Intel)
  • Sun Microsystems Solaris 7 (Sparc/Intel)
  • Sun Microsystems Solaris 8 (Sparc/Intel)
  • Sun Microsystems Solaris 9 (Sparc)
  • Sun Microsystems Solaris 9 Update 2 (Intel) According to the ISS Advisory, the buffer overflow exists in the fs.auto Dispatch() function. Because this function accepts user supplied data, an attacker can send overly large XFS queries to the XFS service and either cause it to crash or execute arbitrary code with the same privileges as the XFS service (typically nobody).

Impact

A remote attacker can execute arbitrary code with the privileges of the fs.auto daemon (typically nobody) or cause a denial of service by crashing the service.


Solution

Apply a vendor patch when it becomes available.


Ingress Filtering - It may be possible to limit the scope of this vulnerability by applying ingress filtering (blocking access to TCP port 7100 at your network perimeter). Note: You should carefully consider the impact of blocking services that you may be using.

  • Disable XFS Service - To disable the XFS Service, comment out the following line in /etc/inetd.conf (remember to restart inetd after making this change)

fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Hewlett-Packard Company| | -| 06 Dec 2002
IBM| | -| 11 Dec 2002
Nortel Networks| | -| 17 Dec 2002
OpenBSD| | -| 05 Dec 2002
Sun Microsystems Inc.| | -| 25 Nov 2002
Xerox Corporation| | -| 30 May 2003
XFree86| | -| 05 Dec 2002
Apple Computer Inc.| | -| 26 Nov 2002
Cray Inc.| | -| 26 Nov 2002
Fujitsu| | -| 03 Dec 2002
Microsoft Corporation| | -| 26 Nov 2002
NetBSD| | -| 25 Nov 2002
Red Hat Inc.| | -| 04 Dec 2002
SGI| | -| 04 Dec 2002
SuSE Inc.| | -| 02 Dec 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

Credit

ISS X-Force discovered this vulnerability.

This document was written by Ian A Finlay.

Other Information

  • CVE IDs: CAN-2002-1317
  • CERT Advisory: CA-2002-34
  • Date Public: 25 Nov 2002
  • Date First Published: 25 Nov 2002
  • Date Last Updated: 30 May 2003
  • Severity Metric: 28.12
  • Document Revision: 13