X Font Server vulnerabilities
Updated 2/14/03
CAN 2002-1317
Impact
A remote attacker could execute arbitrary commands with
privileges of the nobody user. The impact could potentially
be elevated to root privileges in conjuction with
other vulnerabilities.
Background
The fs.auto program is the daemon for the
X-Windows Font Service (XFS). This service allows machines
on an X-Windows network to share font data.
fs.auto is initiated from
xinetd under the nobody user ID,
and listens on TCP port 7100.
The Problem
11/25/02
A buffer overflow condition in the Dispatch
routine could allow execution of arbitrary code embedded in
user-supplied data. Although this vulnerability alone only
allows execution of code with nobody privileges, an
attacker could take complete control of the system by
exploiting this vulnerability in conjunction with local
vulnerabilities.
Solaris 9 and earlier, HP-UX 11.22 and earlier, AIX 5.2.0
and earlier, and OpenBSD 2.6 and earlier are affected by
this vulnerability.
Resolution
Apply a vendor fix. See
CERT
Advisory 2002-34 for patch information specific to your
operating system.
If a fix is not available, fs.auto should
be disabled. This can be done by placing a comment sign
(#) before the line which begins with fs in the
/etc/inetd.conf file:
#fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs
Then restart the
inetd process:
kill -HUP pid
where pid is the process ID of the inetd
process. The process ID can be determined using the command
ps -ef.
It is also advisable to deny access to TCP port 7100 at
the firewall or network perimeter.
Where can I read more about this?
This vulnerability was reported in
CERT
Advisory 2002-34 and Sun Alert
48879.