Block reserved ports with XFree86

Description:Unprivileged users can black reserved ports by using a high display number which wraps arround the highest possible port (65535) and causes X to listen on a <1023 port.
Author:Willy TARREAU <tarreau@AEMIAIF.LIP6.FR>
Compromise:Block privileged ports
Vulnerable Systems:Those running XFree86 as an X-server. This probably most affects systems like Linux and {Open,Free,Net}BSD.
Date:6 August 1997

Date: Wed, 6 Aug 1997 10:14:30 +0200
From: Willy TARREAU <tarreau@AEMIAIF.LIP6.FR>
Subject: XFREE86 can block reserved ports

Hello, and sorry if it is already known stuff.

   XFree86, as any X-server, uses TCP ports 6000 and above to listen to,
waiting for incoming connections. Any user can choose his display number
simply by starting "X :0" or "X :2500" or "X :any_display".
The X server automatically chooses its port by adding the display number to
6000. But as the ports are 16-bits coded, port 65536 equals 0, so displays
59536 to 65535 generate listening sockets on ports 0 to 5999.

And as the X-server runs suid root, any user can use it to block known ports
before a daemon starts using it. For example, it would be possible to use
display 59556 = port 20 to prevent ftp server from transfering data with
remote systems. It is even possible to run a server on any port <= 1023
to disable local rlogin/rsh from the local host.

I have only tested this on XFree86 release 3.3 for Linux ELF, but I think
many other X servers running suid root have the same hole.

I personaly use a display :65290 on a Sparc under SunOS 4.1.4, which equals
port 5754, but as the X server on this system doesn't run suid root, it is
impossible to get use of ports 0-1023.

Last thing: simple method to convert display number to port number:
     port = (display + 6000) & 0xFFFF = (display + 6000)  if display < 59536
                                      = (display - 59536) if display >= 59536

  and now, port to display:
     display = (port + 59536) & 0xFFFF = (port + 59536) if port < 6000
                                       = (port - 6000)  if port >= 6000

| Willy Tarreau | | |
| Magistere d'Informatique Appliquee de l'Ile de France (MIAIF), promo 97   |
| DEA  A.S.I.M.E. |  Universite Pierre et Marie Curie (Paris 6), FRANCE     |

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: