Secure testing team - Apr 2011 - Bug#621423: /usr/bin/xrdb: xdmcp rogue hostname security

Package: x11-xserver-utils
Version: 7.3+5
Severity: critical
File: /usr/bin/xrdb
Tags: security
Justification: root security hole


About the security bug in xrdb :
  http://security-tracker.debian.org/tracker/CVE-2011-0465
  http://www.ubuntu.com/usn/usn-1107-1
  https://bugs.launchpad.net/ubuntu/+source/x11-xserver-utils/+bug/752315
  http://lists.freedesktop.org/archives/xorg-announce/2011-April/001636.html
 
http://cgit.freedesktop.org/xorg/app/xrdb/commit/?id=1027d5df07398c1507fb1fe3a9981aa6b4bc3a56
  http://www.securityfocus.com/bid/47189
As I understand, the result of a breach would be root access on the
server. Debian seems to have flagged this as low priority because xdmcp
is not enabled in default setup; though the issue is exploitable via
dhcp also.

In my environment we use xdmcp for users to log in to our servers.
Could I please have ideas about workaround protection?

I know that gdm uses /etc/hosts.allow and there I added the lines:

ALL : UNKNOWN  : twist /bin/echo ''No name "%n" for address
"%a" -\r\n May be DNS failure - Please try again later''
ALL : PARANOID : twist /bin/echo ''Name "%n" and address
"%a" mismatch -\r\n May be DNS failure - Please try again
later''
gdm : all : allow

However I notice that gdm uses IP address only, not hostname when
evaluating hosts.allow lines, so I wonder about the effectiveness
of this protection.

How would I test whether my setup is vulnerable?

Thanks,

Paul Szabo   psz at maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- System Information:
Debian Release: 5.0.8
  APT prefers oldstable
  APT policy: (500, ''oldstable'')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-pk04.09-svr (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages x11-xserver-utils depends on:
ii  cpp                         4:4.3.2-2    The GNU C preprocessor (cpp)
ii  libc6                       2.7-18lenny7 GNU C Library: Shared libraries
ii  libice6                     2:1.0.4-1    X11 Inter-Client Exchange library
ii  libsm6                      2:1.0.3-2    X11 Session Management library
ii  libx11-6                    2:1.1.5-2    X11 client-side library
ii  libxau6                     1:1.0.3-3    X11 authorisation library
ii  libxaw7                     2:1.0.4-2    X11 Athena Widget library
ii  libxext6                    2:1.0.4-2    X11 miscellaneous extension librar
ii  libxi6                      2:1.1.4-1    X11 Input extension library
ii  libxmu6                     2:1.0.4-1    X11 miscellaneous utility library
ii  libxmuu1                    2:1.0.4-1    X11 miscellaneous micro-utility li
ii  libxrandr2                  2:1.2.3-1    X11 RandR extension library
ii  libxrender1                 1:0.9.4-2    X Rendering Extension client libra
ii  libxt6                      1:1.0.5-3    X11 toolkit intrinsics library
ii  libxtrap6                   2:1.0.0-5    X11 event trapping extension libra
ii  libxxf86misc1               1:1.0.1-3    X11 XFree86 miscellaneous extensio
ii  libxxf86vm1                 1:1.0.2-1    X11 XFree86 video mode extension l
ii  x11-common                  1:7.3+20     X Window System (X.Org) infrastruc

x11-xserver-utils recommends no packages.

x11-xserver-utils suggests no packages.

-- no debconf information