XDMCP Infinite Loop Denial of Service Vulnerability

A programming flaw exists in OpenDis.c file of libX11 that could result in a denial of service against things listening to XDMCP, including xdm. By altering the contents of the server reply packet to a connection establishment request, it is possible to cause an infinite loop in the affected function. Doing this multiple times can cause a denial of service attack.

The flaw stems from the use of the dpy->resource_mask value, received from the network, to control a loop. By passing a mask value of 0, the loop will never end.

lib/X11/OpenDis.c, ~line 373

mask = dpy->resource_mask;
dpy->resource_shift = 0;
while (!(mask & 1)) {
dpy->resource_shift++;
mask = mask >> 1;
}


 

Privacy Statement
Copyright 2010, SecurityFocus