ISS X-Force has discovered a vulnerability in the Sun Microsystems implementation of the "X Window Font Service", or "XFS". The XFS service was designed as a component of the X Windows systems to establish a common mechanism to export font data to all computers on an X Windows network. A buffer overflow vulnerability exists within the XFS service (fs.auto).
Affected Versions:
* Sun Microsystems Solaris 2.5.1 (Sparc/Intel)
* Sun Microsystems Solaris 2.6 (Sparc/Intel)
* Sun Microsystems Solaris 7 (Sparc/Intel)
* Sun Microsystems Solaris 8 (Sparc/Intel)
* Sun Microsystems Solaris 9 (Sparc)
* Sun Microsystems Solaris 9 Update 2 (Intel)
The XFS protocol is used by computers on an X Windows network to share font information. The X Windows system implemented an extensive and scalable font capability. This capability requires that all X Windows clients and servers have a mechanism to access font data, which may be distributed throughout an X Windows network.
Solaris implemented the XFS font server in the daemon, fs.auto. A flaw exists within the fs.auto Dispatch() routine. Adequate bounds-checking is not conducted on user-supplied data within the vulnerable function. This flaw can allow remote attackers to formulate a specific XFS query to either crash the service, or execute arbitrary code under the privilege of the "nobody" user. This privilege level is similar to that of any normal user.
Impact:
Remote attackers can exploit the buffer overflow vulnerability to run arbitrary commands on a target system. Attackers must exploit this vulnerability in conjunction with another attack to gain "root" access, because the fs.auto service does not run with superuser privilege. The Solaris operating system is configured to run the fs.auto service by default. It is bound to a high TCP port, which is normally blocked on perimeter firewalls. Networks that are not filtering high TCP ports, and internal networks are potentially at risk.
Recommendations:
X-Force recommends that administrators disable the fs.auto service unless it is explicitly required. Administrators can disable fs.auto by editing the inetd configuration file (/etc/inetd.conf) and then restart the inetd process by following the steps below:
1. Comment out the line corresponding to fs.auto. It should read:
Administrators should inspect their network perimeters to insure that strong packet filtering rules are in place. The XFS protocol uses TCP port 7100. This port should be blocked on all network perimeters.
Vendor Notification Schedule:
Vendor confirmed patches would be available on 11/25/2002, and has since rescheduled the patch release after the publication of this advisory. Please contact Sun for more information.
