Block reserved ports with XFree86
Description: | Unprivileged users can black reserved ports by using a high display number which wraps arround the highest possible port (65535) and causes X to listen on a <1023 port. |
Author: | Willy TARREAU <tarreau@AEMIAIF.LIP6.FR> |
Compromise: | Block privileged ports |
Vulnerable Systems: | Those running XFree86 as an X-server. This probably most affects systems like Linux and {Open,Free,Net}BSD. |
Date: | 6 August 1997 |
Date: Wed, 6 Aug 1997 10:14:30 +0200
From: Willy TARREAU <tarreau@AEMIAIF.LIP6.FR>
To: BUGTRAQ@NETSPACE.ORG
Subject: XFREE86 can block reserved ports
Hello, and sorry if it is already known stuff.
XFree86, as any X-server, uses TCP ports 6000 and above to listen to,
waiting for incoming connections. Any user can choose his display number
simply by starting "X :0" or "X :2500" or "X :any_display".
The X server automatically chooses its port by adding the display number to
6000. But as the ports are 16-bits coded, port 65536 equals 0, so displays
59536 to 65535 generate listening sockets on ports 0 to 5999.
And as the X-server runs suid root, any user can use it to block known ports
before a daemon starts using it. For example, it would be possible to use
display 59556 = port 20 to prevent ftp server from transfering data with
remote systems. It is even possible to run a server on any port <= 1023
to disable local rlogin/rsh from the local host.
I have only tested this on XFree86 release 3.3 for Linux ELF, but I think
many other X servers running suid root have the same hole.
I personaly use a display :65290 on a Sparc under SunOS 4.1.4, which equals
port 5754, but as the X server on this system doesn't run suid root, it is
impossible to get use of ports 0-1023.
Last thing: simple method to convert display number to port number:
port = (display + 6000) & 0xFFFF = (display + 6000) if display < 59536
= (display - 59536) if display >= 59536
and now, port to display:
display = (port + 59536) & 0xFFFF = (port + 59536) if port < 6000
= (port - 6000) if port >= 6000
Willy
--
+---------------+------------------------+----------------------------------+
| Willy Tarreau | tarreau@aemiaif.lip6.fr | http://www-miaif.lip6.fr/willy/ |
| Magistere d'Informatique Appliquee de l'Ile de France (MIAIF), promo 97 |
| DEA A.S.I.M.E. | Universite Pierre et Marie Curie (Paris 6), FRANCE |
+-----------------+---------------------------------------------------------+
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: