COMMAND

    XFree86

SYSTEMS AFFECTED

    Linux

PROBLEM

    Willy Tarreau found following. XFree86, as any X-server, uses  TCP
    ports  6000  and  above  to   listen  to,  waiting  for   incoming
    connections.   Any user  can choose  his display  number simply by
    starting "X :0" or  "X :2500" or "X  :any_display".  The X  server
    automatically chooses  its port  by adding  the display  number to
    6000.  But as  the ports are 16-bits  coded, port 65536 equals  0,
    so displays 59536 to 65535  generate listening sockets on ports  0
    to 5999.

    And as the X-server runs suid  root, any user can use it  to block
    known  ports  before  a  daemon  starts  using it. For example, it
    would be possible to  use display 59556 =  port 20 to prevent  ftp
    server  from  transfering  data  with  remote  systems. It is even
    possible to  run a  server on  any port  <= 1023  to disable local
    rlogin/rsh from the local host.

    This has only  been tested on  XFree86 release 3.3  for Linux ELF,
    but there  is possibility  for many  other X  servers running suid
    root to have the same hole.

    Simple method to convert display number to port number:

    port = (display + 6000) & 0xFFFF = (display + 6000)  if display < 59536
                                     = (display - 59536) if display >= 59536

   and now, port to display:

    display = (port + 59536) & 0xFFFF = (port + 59536) if port < 6000
                                      = (port - 6000)  if port >= 6000

SOLUTION

    This is one more  reason to remove setuid  bit from X server.  xdm
    starts local X server just fine.